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• Professional troublemaker: 

• WhiskeyCon' 14 survivor! 

• Wannabe rootkits book writer 

• Recently converted whitehat. 

• Trying to build a security product for OS X. 



• I am not against spying and busting bad guys. 

• The problem is the definition of bad guy 

• The process is everything but transparent. 

• Power can and will be abused. 




• Nothing personal against HackingTeam. 

• Just shooting the messenger 

• Until I find FinFisher OS X. 

• (Ok ok, they aren't that smart and I don't like 
that!). 




(Tm) ^% Tdbk (^SMtfdM^ 

• The dropper 

• Main backdoor module. 

• M PRESS, and how to unpack it. 

• Main backdoor module part 2. 

• Debugging tips & tricks. 

• Lame persistent threat. 




(Tm) ^% Tdbk (^(SMtfdM^ 

• Encryption keys. 

• Encrypted configuration file. 

• Implementation and bundle injection. 

• C&C communications. 

• Kernel root kit. 

• Conclusions. 




WHO THE FUCK 





"Here in HackingTeam we believe that fighting 
crime should be easy: we provide effective, easy- 
to-use offensive technology to the worldwide law 
enforcennent and intelligence connmunities." 





"Our technology is used 
continents." 




to fight crime in six 




• Wishful thinking. 

• No transparency. 

• Dubious clientele? 

• If arms ennbargoes are bypassed, why would 
"cyber" stuff be different? 





• Check the reports from Citizen Lab: 

— "HackingTeam and theTargeting of Ethiopian 
Journalists". 

— "Mapping HackingTeam's "Untraceable" Spyware". 

— "HackingTeam's US Nexus". 

— "Police Story: HackingTeam's Government Surveillance 
Malware". 




• HackingTeam's Remote Control System. 

• Officially sold as DaVinci. 

• Known as Crisis or Morcut . 

• Samples found for Windows, OS X, iOS, Android. 

• New version called Galileo. 



• Known (working) Mac OS X samples: 





VT First upload 


6f055 1 5086 1 d8d6e 1 45e9aca65f92822 


24/07/ 1 2 


1 b22e4324f4089a 1 66aae69 1 dff2e636 


16/1 1/12 


a32e073 1 32ae0439daca9c82b8 1 1 9009 


1 I/I 1/13 


5a88ed9597749338dc93fe2dbfdbe684 


18/01/14 





Backdoor Rootkit Other modures 

Module Modules & oonfiguration 




• Microphone. 

• Webcam. 

• Screenshots. 

• Keylogger/mouse tracker 

• Skype/Microsoft Messenger recordin 

• Spying on browsers. 

• Etc... 




• Delivered via exploits: Flash, Word, etc(?). 

• Social engineering: "piz install me!!!". 

• Less than one megabyte. 

• This presentation is about this sample: 

• a2e3f93fc9 I cc4f05b2860537 1 d89a6c4bdb3a7e84 
I097dc76l5bc2aa43a779. 




• Why this sample? 

• Last one found/reported. 

• Initial thought to be the most recent version. 

• Laten why this conclusion appears to be wron 



Filename ^^^^^B 


^^Fu nction ^^^^^^^^H 


r\ — 1 — 1 W / K A /" — * ' \ X 1 1 

SoTHYMCj.XII 


N >1 ' 1 II II 

Mam backdoor module 


BZPYmgGVTOA 


64 bit kernel extension 


Lft2iRjk.7qa 


-"N I'll 1 1 ' 

32 bit kernel extension 


EDr5dvW8.p_w 


Bundle (fat binary) 


GARteYof._Fk 


XPC module(fat binary) 


ok20utla.3-B 


Configuration file 


q45tyh 


TIFF image 



• Tries to hide the real entry point. 

• Using a fake mainQ function. 

• Easily detected by looking at the Mach-O 
headers. 

• Something you should *always* do! 



HI- BO public take start 

HF80 fake start proc near " ; DATA XREFi _INIT STUB_hidden:0(K>0500CiO 

HF80 

HF80 var_lA = dword ptr -14h 

HF80 var_10 - dword ptr -lOh 

HF80 var__C - dword ptr -OCh 

HF80 var_8 - dword ptr -8 

HF80 ^^^^^ 

HF80 ^^^^^^ push 

HF82 ^^^^^^^ mov ebp, esp 

HF84 and esp, OFFFFFFFOh 

HF87 sub esp, lOh 

HF8A mov ebx, [ebp+4] 

HF8D mov [esp+14h+var_14], ebx 

HF91 lea ecx, [ebpfS] 

HF94 mov [esp+14h+var 10], ecx 

HF98 add ebx, 1 

HF9B shl ebx, 2 

HFgE add ebx, ecx 

HFAO mov [esp+14h+var_C], ebx 

HFA4 

HFA4 Loc_lFA4: ; CODE XREFi fake_start+2Bij 

HFA4 mov eax, [ebx] 

HFA6 add ebx, 4 

I1FA9 test eax, eax 

HFAB jnz short loc_lFA4 

HEAD ^^^^^^ mov [esp+14h+var_8], ebx 

HFBl J^f^^^^ call fake_main 

HFB6 ^^^^r^ mov [espfl4h+var_14], eax ; int 

HFBA call _exit 

HFBA fake start endp 



lllllli 



Illi 



text:OO0OlFE2 




public fake_ 


main 


text:0000lFE2 


fake_main 


proc near 


; CODE XREF: fake_start+3ltp 


text:0CKK>lFE2 










text:OOO0lFE2 


varlO 


" dword 


ptr 


-lOh 


text:0000lFE2 


varC 


- dword 


ptr 


-OCh 


text:0CKK>lFE2 










text:OOO0lFE2 




push 


ebp 




text:CKKK>lFE3 




mov 


ebp. 


esp 


text:OO0OlFE5 




sub 


esp. 




text:OO0OlFE8 




mov 


[ebp+var 10], 5 


text:OOCX)lFEF 




mov 


[ebp 


+var C], 8 


text:0000lFF6 




mov 


eax. 


0 


textrOQOOlFFB 




leave 






textiOOOOlFFC 




retn 






textiOOOOlFFC 


fake_main 


endp 






_text:CKKK>lFFC 












text 


ends 


















ooo 



RAW 



it^ RVA 



D a2e3f93fc91cc4fOf5b28605371dS9aec4bdb3a7e841097dc7615bc2aa43a779 



Executable 

Mach Header 
▼ Load Commands 

LC_S EC M E N T (_ PAG EZI RO) 
TLC_SECMENT (_TEXT) 

Section Header (_te;{t) 
TLC_SECMENT (_DATA) 
Section Header (_data} 
Section Header (_dyld) 
► LC_SECMENT (_IMPORT) 
LC_SECMENT (_LINKEDIT) 
LC_SECMENT (_INIT_STUB) 
LC_SYMTAB 
LC_D¥SYMTAB 
LC_LOAD_DYLINKER 
LC_UUID 
LC_UNIIXTHREAD 

L C_LQAD_DYLIB flibg cc_5.1.dyllb) 



1 



Offset 




1 Descriptior 


1 Value 1 




00000318 


00000005 


Command 


LCJNDfTWREAD 


mme3ic 


00000050 


Command Size 


S0 


00000320 


00000001 


Flavor 


xB6_THREAD_STATE32 


10000324 


00000010 


Count 


15 


00000328 


00000000 


eax 


0 


0000032C 


00000000 


ebx 


0 


00000330 


00000000 


ecx 


0 j 


00000334 


00000000 


edx 


0 


00000338 


00000000 


edi 


0 


0000033C 


00000000 


esi 


0 


00000340 


00000000 


ebp 


0 I 


00000344 


00000000 


esp 


0 


00000348 


00000000 


ss 


0 


0000034C 


00000000 


ef lags 


0 


|00000350 


0000 5 09C 


eip 


20636 1 1 


00000354 


00000000 


cs 


0 


00000358 


00000000 


ds 


0 



o o o 



RAW 



H RVA 



Q a2e3f93fc91cc4fOf5b28e05371dS9aGc4bdb3a7e841097dc7615bc2aa43a779 

(5 



▼ Executable (XSe) 






OfTset 


1 Oata 


1 Descriptlor 


1 Value 


Mach Header 








00000001 


Comrnand 


LC_SEGMENT 


▼ Load Commands 






_00000248 


00000038 


Comrnand Size 


56 


LC_SECMENT LPACEZERO} 








5F5F494E49545F535455420,,. 


Segment Name 


_INIT_STUB J 


▼ LC_SECMENT LTEXT) 






0B00025C 


00005000 


VM Address 


0x5000 ^^^^^^^ 


Section Header ( tejit) 








000 A7 000 


VM Size 


5B4032 


▼ LC_SECMENT (_DATA) 






00000264 


00004000 


File Offset 


15364 


Section Header (_data) 






00000268 


000 A7 000 


File Size 


534032 


Section Header (_dyld) 








00000007 


Maximum VM Protection 




► LC_SECMENT (_IMPORT) 










00000001 


VM_PROT_READ 


LC_SECMENT (_LINKEDIT) 










00000002 


VM_PROT_WRITE 


LC_SECMENT (_INI1T_STUB) 










00000004 


VM_PROT_EXECUTE 


LC_SYMTAB 






00000270 


00000005 


Initial VM Protection 




LC_D¥SYMTAB 










00000001 


VM_PROT_READ 


LC_LOAD_DY LINKER 










00000004 


VM_PROT_EXECUTE 


LC_UUID 






00000274 


00000000 


Number of Sections 


0 


LC_UIVI1XTHREAD 






00000278 


00000000 


Flags 




LC LOAD DYLIR fliharr <i.l.dvljM 









• GDB doesn't like to set breakpoints outside the 
TEXT segment. 

• Patch the binary with a INT 3h. 

• The mov ebp, esp instruction is a good candidate. 

• Easy to emulate in GDB (set $ebp = $esp). 

• No checksum checks exist. 




• No imports other than exit(). 

• Uses INT 80h to call exit, open, fstat, mmap. 

• Dynamically resolves all other required symbols. 

• Mmap is used to map system libraries with the 
symbols. 




• There is no need to mmap libraries. 

• (Ab)use dyld shared cache feature. 

• The most important libraries are cached. 

• We are able to read them directly from memory. 

• But we still need to find some dyld functions. 



"The dyld shared cache is mapped by dyld into a 
process at launch time. Later; when loading any 
mach-o image, dyld will first check if is in the share 
cache , and if it is will use that pre-bound version 
instead of opening, mapping, and binding the 
original file." 



int main (i/7t argc^ const char * argv[]) 
{ 

printf("Dyld image count is: %dAn", dyld image countO); 
for {int i = o; i < _dyld_iniage_count(); i++) 

{ 

char *image_name = (c/?ar*)_dyld_get_image_name(i); 
const struct mach header *mh = _dyld_get_iinage_header(i); 
intptr t vmaddr slide = _dyld_get_iinage_vmaddr_slide(i); 
printf ("Image name %s at address Ox^llx and ASLR slide Ox^lxAn^^ 
image_name, (mach_vm_address_t)mh, vmaddr_slide); 

} 

return 0; 

} 



$ ./solvesymbols 

Dyld image count is: 37. 

Image name /Users/user/solvesymbols at address 0x105719000 and ASLR slide 0x5719000. 
Image name /usr/lib/libSystem.B.dylib at address 0x7fff8aac2000 and ASLR slide 0x1525000. 
Image name /usr/lib/system/libdyld.dylib at address 0x7fff87fd0000 and ASLR slide 0x1525000, 
Image name /usr/lib/systefn/libsystem_c.dylib at address 0x7fff89ce5000 and ASLR slide 
0x1525000. 

Image name /usr/lib/system/libsystemkernel.dylib at address 0x7fff8c02a000 and ASLR slide 
0x1525000. 
(...) 




^^^^^^^^^^^^^1 int ^^^^^^^^^^^^^H 

^^^^^^^^^H printf ("Hello MorldVn"); ^^^^^^^^^H 
^^^^^^^^^^^^^1 return ^^^^^^^^^^^^^H 

gdb$ info shared 

The DYLD shared library state has been initialized from the executable 's shared library information. All symbols should be present, but the addresses 

of some symbols may move when the program is executed, as DYLD may relocate library load addresses if necessary. 

Requested State Current State 
Num Basename Type Address Reason | | Source 

II II I I I I 

1 dyld - Ox7fff5fcOOOOO dyld Y Y /usr/lib/dyld at Ox7fff5fcOOOOO (offset 0x0) with prefix "_dyld_" 

2 hello - 0x100000000 exec Y Y /Users/user/hello (offset 0x0) 

3 libSystem.B.dylib - Ox7fff8aac2OO0 dyld Y Y /usr/lib/libSystetn.B.dylib at 0x7fff8aac2000 (offset 0x7fff8aac2000) 

0 libdyld.dylib - Ox7fff87fdOOOO dyld Y Y /usr/lib/systetn/libdyld.dylib at Ox7fff87fdOOOO (offset Ox7fff87fdOOOO) 

18 libsystem c.dylib - 0x7fff89ce5000 dyld Y Y /usr/lib/system/libsystem c.dylib at 0x7fff89ce5000 (offset 0x7fff89ce5000) 

12 libsystemkernel.dylib - ox7fff8c02aooo dyld Y Y /usr/lib/systetn/libsystemkernel . dylib at ox7fff8c02aooo (offset Ox7fff8c02aooo) 




• How does Crisis finds the necessary dyld 
functions? 

• In Snow Leopard there is no full ASLR (only 
Lion or newer): 

— Enabled only for systenn libraries. 

- 32 bits dyld at fixed address OxSfeOOOOO. 




• Recovers the return address of dyld::_main 
from the stack. 

• By exploiting the stack layout from _dyld_start 
and then jump to entrypoint. 

• Don't forget kernel passes control to dyld and 
then to the original entrypoint. 




Userland 



execveO -> mac_execve()l 



exec_activa te_image ( ) 



Read file 



> exec_mach_imgact() -> dyld -> target entry point 



load_machfile() 



parse_machfile() 



load_dylinker() 



(...) 




mov eax, [ebp+4] ; return address, obtained with 

; builtin return_address(0); 

sub eax, 0D2h ; distance -From return till the beginning of INIT_STUB 

mov [ebp+INIT_STUB_BASEADDRESS], eax ; beginning of INIT_STUB 

mov eax, [ebp-8] ; load address of the program 

cmp eax, 0 

jnz short loc_5A72 

mov eax, [ebp+close_hash^ 

loc_5A72: ; CODE XREF: main+AB^j 

mov [ebp+base_load_address], eax ; eax = Oxiooo 

mov eax, [ebp-5Ch] ; in Lion it points to return address from 

; dyld::_main inside dyldbootstrap: : start 

; In Snow Leopard it's bogus. 

; In Mountain Lion and Mavericks it's bogus. 

and eax, OFFFOOOOOh 

cmp eax, SFEOOOOOh ; <- dyld address 

jz short loc_5A93 ; no jump in Snow Leopard, ML and Mavericks 

mov [ebp+dyld_base_address], SFEOOOOOh ; this is for Snow Leopard 
jmp short loc_5AAl 





• This sample doesn't work in Mountain Lion and 
Mavericks. 

• Because the stack layout changed. 

• Mostly due to the introduction of LC_MAIN 
command to replace LC_UNIXTHREAD. 




.text 

.align A, 0x90 

.globl dyldstart 

dyldstart : 

pushl $0 # push a zero for debugger end of frames marker 
movl %esp,%ebp # pointer to base of kernel frame 
andl $-i6,%esp # force SSE alignment 



Lion 10.7.5 



# call dyldbootstrap: : start (appmh, argc, argv, slide, dyldmh) 
subl $l2,%esp 

call L dyldstartjsicbase 

L dyldstart jaicbase : 



popl 

movl 

movl 

subl 

addl 

pushl 

pushl 

lea 

pushl 

movl 

pushl 

movl 

pushl 

call 



%ebx # set %ebx to runtime value of picbase 

Lmh-L dyld_start_picbase(%ebx)j %ecx # ecx = prefered load address 

dyld st art st at ic j3 icbase - L dyld st art jsicbase (%ebx) , %eax 

%eax, %ebx # ebx = slide = L dyld st art jd icbase - [ dyld start staticjjicbase] 

%ebx, %ecK # ecx = actual load address 



# params = actual load address 

# paramA = slide 



I2(%ebp),%ebx 



8(%ebp),%ebx 
SISebx t 
4(%ebp),%ebx 
%ebx i 



# paramB = argv 



# paramz = argc: 



%ebx # paraml = mh 

_ZNl3dyldbootstrap5startEPKl2macho_headeriPPKclS2_ 




# clean up stack and jump to result 
movl 5!Sebp,%esp # restore the unaligned stack pointer 
addl $8,%esp # remove the mh argument, and debugger end 

# frame marker 
movl $0,%ebp # restore ebp back to zero 
jmp *%eax # jump to the entry point 



^^?5V Mavericks 

dyldstart : 

popl %edx # edx = mh of app 

pushl $0 # push a zero for debugger end of frames marker 

movl %espj%ebp # pointer to base of kernel frame 

andl $-l6j3Sesp # force SSE alignment 

subl $32,%esp # room for locals and outgoing parameters 

call L dyldstartjjicbase 

L dyldstart jsicbase : 

popl %ebx # set %ebx to runtime value of picbase 

movl Lmh-L dyld_startj3icbase(%ebx)j %ecx # ecx = prefered load address 

movl dyld_start_staticjDicbase-L dyld_startjDicbase(%ebx), %eax 

subl %eax, %ebx # ebx = slide = L dyldstartjaicbase - [ dyldstartstaticjaicbase] 

addl %ebx^ %ecx # ecx = actual load address 

# call dyldbootstrap: : start (app jmh, argc, argv, slide, dyld mh, &startGlue) 



movl 
movl 

movl %eaXj4(%esp) 

lea 8(%ebp)j%eax 

movl %eaXj8(%esp) 

movl %ebXjl2(%esp) 

movl %ecXjl6(%esp) 
lea 28(%esp)j%eax 

movl %eax,20(%esp) 



%edXj(%esp) # paraml = app_mh 
4(%ebp)j%eax 



# param2 = argc 



# param3 = argv 

# param4 = slide 

# paramS = actual load address 

# Daram6 = SstartClue 



4 



movl %eaXj20(%esp) # param6 = SstartClue 
call _ZNl3dyldbootstrap5start E PKl2macho_headeriPPKclS2_Pm 
movl 28{%esp) ,%e6x 
cmpl $0,%edx 
jne Lnew 




• Easier to get current EBP and retrieve the value 
in EBP-OxC. 

• Compatible with "all" OS X versions and ASLR! 

• It's an address inside dyld. 



• Caveat 

• Must be compiled with: 

• clang -o ebp ebp.c -arch 1386 -mmacosx- 
version-min= 1 0.6 

• This forces use of old LC UNIXTHREAD. 



#include <stdio.h> 

int mir\{yoid) 
{ 

int myebp = Oj 
_asm_("mov %%ebp, %o\n\t" 
: "=g" (myebp) 

0; 

printf("Dyld return address: 
return 0; 

} 



%x\n"^ * (int*) (myebp-oxc)); 




Breakpoint 1, 0x00001fl0 in main () 



EAX: 0x00000000 EBX: 0xBFFFFD24 
ESI: 0x00000000 EDI: 0x00000000 
CS: 001B DS: 0023 ES: 0023 FS; 



ECX: 0XBFFFFCC4 EDX: 0x00000000 
EBP: 0XBFFFFCBC ESP: 0xBFFFFC9C 
0000 G5: 000F SS: 0023 



0xlfl0 
0xlfll 
0xlfl3 
0xlfl6 
0xlf lb 
0xlflc 
0xlf22 
0xlf29 



55 

89 eS 

83 ec 18 

e8 00 00 00 00 

58 

8d 80 79 00 00 00 
c7 45 fc 00 00 00 00 
c7 45 f8 00 00 00 00 



push 

mov 

sub 

call 

pop 

lea 

mov 

mov 



ebp 

ebp, esp 
esp, 0x18 
0xlflb 



[ebp3] 



[regsl 

odItsZaPc 

EIP: 0X00001F10 



[code] 



[ebp3] 
[ebp3] 



[ebp3] 
eax [ebp3] 
eax, [eax+0x79] [ebp3] 
DWORD PTR [ebp-0x4] ,0x0 
DWORD PTR [ebp-0x8] ,0x0 



[ebp3] 
[ebp3] 



gdb$ x/x $esp-0x4-0x5c 
0xbffffc3c: 0x8fe302ef 
gdb$ info symbol 0x8fe302ef 

_dyld_ZN13dyldbootstrap5startEPK12macho_headeriPPKclS2_ + 637 in section LC_SEGMENT.. 
_text of /usr/lib/dyld 



TEXT. 




WM9wMm 



Breakpoint 1^ OxOOOOlf20 in main () 



EAX: 0x00000000 EBX: OxBFFFFDOO 
ESI: 0x00000000 EDI: 0x00000000 
CS: OOIB DS: 0023 ES: 0023 FS: 



ECX: 0XBFFFFCA4 EDX: 0x00000000 
EBP: 0XBFFFFC9C ESP: OxBFFFFCyC 
0000 GS: OOOF SS: 0023 



Oxlf20; 


55 












push 


ebp [ebp] 


Oxlf21; 


89 


e5 










mov 


ebpjesp [ebp] 


Oxlf 23 : 


83 


ec 


18 








sub 


espjOxl8 [ebp] 
Oxlf2b [ebp] 


Oxlf 26 : 


e8 


00 


00 


00 


00 




call 


Oxlf2b: 


58 












pop 


eax [ebp] 


Oxlf 2c : 


8d 


80 


6d 


00 


00 


00 


lea 


eaxj [eax+0x6d] [ebp] 


Oxlf 32: 


c7 


45 


fc 


00 


00 


00 00 


mov 


DWORD PTR [ebp-0x4],0x0 


Oxlf 39: 


c7 


45 


f8 


00 


00 


00 00 


mov 


DWORD PTR [ebp-0x8],0x0 



[regs] 

odItsZaPc 

EIP: 0X00001F20 



[code] 



[ebp] 
[ebp] 



gdb$ x/x $esp-0x4-0xc 
Oxbffffc6c: Ox8fe01077 
gdb$ info symbol Ox8fe01077 

_dyld_dyld_start + 71 in section LC_SEGMENT._TEXT._text of /usr/lib/dyld 



gdb$ □ 




• After all this excitement libraries are mmpa'ed. 

• Search for the dyld symbols that allow to 
retrieve loaded images. 

• Sdbm hash used to "obfuscate" the symbols 
names. 



• The function to resolve the symbols just locates 
the dyld symbol table and retrieves the value. 

• Separate functions for Snow Leopard and Lion. 

• No idea why! 

• Lion version has an hardcoded value. . . 



struct machheader *mh = {struct mach_header*)dyld_base_addr; 
/* point to the first load command */ 

char *load_cmd_addr = (c/iflr*)dyld_base_addr + sizeof (struct machheader) ; 
/* iterate over all load cmds and retrieve required info to solve symbols */ 

/* LINKEDIT location and symbol/string table location */ 

for {uint32_t i = 0; i < mh->ncmds; i++) { 

struct load_command *load_cmd = {struct load_command*)load_cmd_addr; 

if (load_cmd->cmd == LCJECMENT) { 

O struct segment_command *seg_cmd = {struct segment_command*)load_cmd; 
(strncmp(seg_cmd->segnamej " LINKEDIT''^ 16) == 0) { 
linkeditfileoff = seg_cmd->fileoff; 
linkeditsize = seg_cmd->filesize; 

} 

} 

/* table information available at LCSYMTAB command */ 
else if (load_cmd->cmd == LCSYMTAB) { 

©struct symtabcommand *symtab_cmd = {struct symtab_command*)load_cmd; 
symboltablefileoff = symtab_cmd->symoff; 
symboltablenrsymbols = symtab_cmd->nsyms; 
stringtablefileoff = symtab_cmd->stroff; 
stringtablesize = symtab_cmd->strsize; 

} 

loadcmdaddr += load_cmd->cmdsize; 

} 



/* pointer to _LrNKEDIT offset */ 

char *linkedit_buf = (c/?ar*) dyldbaseaddr + linked itfileoff; 
/* retrieve all kernel symbols */ 
struct nlist *nlist = NULL; 

for {uint32_t 1 = 0; i < symboltable nr symbols; i++) { 
/* symbols and strings offsets into LINKEDIT */ 

mach vm address t symbol off = symboltable fileoff - linkedit fileoff; 
mach vm address t string off = stringtable fileoff - linkedit fileoff; 

nlist = {struct nlist*) (linkeditbuf + symboloff + i * sizeof (struct nlist)); 
char *symbol_string - (linkeditbuf + stringoff + nlist ->n_un.n_strx); 
if (HASH(symbol_string) == REOUESTED_HASH) { 
return nlist->n_value; 

} 




struct nlist { 






union { 






#ifndef LP64 






char *n name; 


/* 


for use when in-core */ 


# :ndif 






uint32_t n_strx; 




" index into the string table */ 


} n_un; 






uintS t n type; 


/* 


type flag, see below */ 


uint8_t n_sect; 


/* 


section number or NO_SECT */ 


intl6_t ndesc; 


/* 


see <inach-o/stab.h> */ 


uint32 t n value; 

}; 


/* 


value of this symbol (or stab offset) */ 




• The dyld functions are used to find out the base 
address of the libraries. 

• Added to each resolved symbol. 

• Function pointer is now available to be used. 



• Useful dyld functions: 

— _dyld_image_count. 

— _dyld_get_image_headen 

— _dyld_get_image_vmaddr_slide. 

— _dyld_get_image_name. 

• Look inside nnach-o/dyld.h. 




00006031 


mov 


00006042 


push 


00006043 


call 


00006049 


add 


00OO604C 


mov 


00006052 


mov 


00006058 


push 


00006059 


call 


0000605 F 


add 


00006062 


mov 


00006068 


mov 


00O0606E 


push 


0000606 F 


call 


00006074 


add 


00006077 


mov 


00O06O7D 


mov 


00006083 


cmp 


00006086 


jnz 


0000608C 


cmp 


00006093 


jnz 


00006095 


call 


0000609A 




0000609A loc 609A: 


0000609A 


mov 


000060A0 


push 


000060A1 


mov 


000060A7 


push 


00O060A8 


call 


000060AD 


add 


000060B0 


add 


000060B6 


mov 



edx, [ebp+imagecounter 
edx 

ebp+_dyld^et_image_rame_ptr] ; _dyld^et_image_name( index) 
esp, 4 

[ebpHhvar lSo], eax ^^^^ 

eax, [ebp-f-image counter] B 

I e b p+_dy ld_get imageh ea d erpt r ] 
esp, 4 

I ebp+varlAO], eax 
ecx, [ebp+var_180] 
ecx 

hashstring 
esp, 4 

.ebp+var_lB4], eax 
edx, [ebp+var_lB4] 

edx, [ebp+var_78] ; is it /usr/lib/system/libsystemkernel.dylib ? 

locBlFA 

[ebp+libsystefi kernel_ptr], 0 ; did we get the mmap -for this lib?^#m 
short loc_609A 
SYS exit 



; CODE XREF: main+6Dltj 

eaXf [ebp-fopen hash] 
eax 

ecx, [ebp+libsystemkernelptr] ; mmap 

ecx 

■Findsymbolinmmapedfile 
esp, 8 

eax, [ebpHhvar lAO] ; add base address of the library 

[ebp+openptrj, eax ; set the function pointer 



• Next step, drop the payloads. 

• Written to -/Library/Preferences/xxxxxx.app/. 

• Random app name. 

• Always the same target folder in all known samples. 

• This sample: ~/Library/Preferences/OvzD7xFrapp/. 



$ file 



Kernel extension "rootkit": 

3ZPYmgCV,T0A: Mach-0 64- bit kext bundle x86_64 

Lft2iRjk.7qa: Mach-0 object i386 

Main backdoor module: 

SoTHYMCj.XIl: Mach-0 executable i386 

Bundle injected into applications: 

EDr5dvW8,p_w: Mach-0 universal binary with 2 architectures 
EDr5dvW8.p_w (for architecture x86_64): Mach-0 64-bit bundle x86_64 
EDr5dvW8.p_w (for architecture i386): Mach-0 bundle i386 

XPC binary: 

CARteYof ■_Fk: Mach-0 universal binary with 2 architectures 
CARteYof,_Fk (for architecture x86_64): Mach-0 64-bit executable x86_64 
CARteYof -Fk (for architecture i386): Mach-0 executable i386 

Config file: 
ok20utla,3-B: data 

Image used to spoof admin credentials request: 
q45tyh: TIFF image data, big-endian 




• After writing all the payloads it just forks and 
launches the main backdoor module. 

• And returns control to the fake start address. 



eax, [ebp+var_198] 
eax 

ecx, [ebp+var_198] 
ecx 

[ebp+execlptr] 
esp, 14h 



; "/Users/user/ Library/Pref erences/0vzD7xFr. app/8oTHYMCj .XII" 



edx, [ebp+varlBO] 
edx 

[ebp+freeptr" 
esp, 4 

eax, [ebp+var_198] 
eax 

[ebp+freeptr" 
esp, 4 

ecx, ebp+var 94. 
edx, |ecx+0Ch7 ; ed 

eax, |ebp+base_load address] 
ecx, [ e dx+e ax- 1 OOOh J 
[ebp+var_lA8], ecx 
eax, rebp+var_lA8] 
ebx, [ebp+baseloadaddress] 
ecx, 0 
edx, 0 

esp, [ebp+var_68| 
esp, 7Ch 

esp, 8 Ufm 

ebp, 0 



; CODE XREF: main+C94tj 
; mainHHCA9tj 



; edx = fake start address 





• The core of Crisis. 

• Responsible for: 

- Injection into target applications. 

— Communications with C&C. 

— Rootkit control. 

- Etc. 




• Coded in Objective-C. 

• (Very) Verbose class and method names. 

• 32 bits only binary 

• Packed with M PRESS in two samples. 




• http://wvwv.matcode.com/mpress.htm 

• Easy to unpack. 

• Not a real obstacle to reversing. 

• Generic dumper to be released. 



• One of the two generic packers available for 
OS X (afaik!). 

• Other is UPX (meh!). 

• Everything else I know is custom ;-). 



• "Programs compressed with M PRESS run 
exactly as before, with no runtime performance 
penalties ." 

• "it also protects programs against reverse 
engineering by non-professional hackers." 





0x0 


0x1000 


0x51000 


0x51 0A4 


0x71 4BB 


Pagezero 


Original Unpacked 
Binary 


Secondary 
^ Stub ^ 


Packed Data 


Initial Stub 

i 



• Steps: 

1 . Start execution of initial stub. 

2. Unpack the original binary and secondary stub. 

3. Execute secondary stub. 

4. Pass control to dyld and execute original binary 



o o o 

[ ^ RAW I RVA 



mainbackdoo r_niod u le_3oTH Y MCj_XI I 



▼ Executable {XS6) 




Offset 


Data 


1 Description 


1 Value 


Mach Header 








Cairnand 


LC_5EGMENT 


▼ Load Commands 








Command Size 


56 


LC_SEGMEMT (_M PRESS_v.2.1Z} 






5F5F4D50524553535F5F762... 


Segment Name 


_MPRESS_v.2.12 


LC_UNIXTHREAD 






0&051000 


VM Address 


0x51000 yi — _, 








09020755 


VM Size 


132949 \| 








09000000 


File Offset 


0 








00020755 


File Size 


132949 






mmmiA 


00000007 


Maximum VM Protection 






* 






00000001 


VM_PROT_READ 










00000002 


VM_PROT_WRITE 










00000004 


VM_PROT_EXECUTE 








00000007 


Initial VM Protection 












00000001 


VM_PROT_READ A_ 










00000002 
00000004 


VM_PROT_WRITE \^ "Z 
VM_PROT_EXECUTE N 








00000009 


Number of Sectitsns 


0 








00000000 


Flags 

















• The MPRESS segment contains the packed data. 

• And the initial packer stub. 

• RWX memory permissions. 



0%0 


0x1000 


0x51000 


0XS10A4 




0X714BB 


FBgOISTD 


AUacated memory 


MPress 
Mach-O 
header 




Packed Data 


^ Initial Stub 



o o o 

r 



mainbackdoo r_mod u le_3oTH Y MCj_XI I 



RAW 



^ RVA 



(a" 



'Executable (XS6} 
Mach Header 
TLoad Commands 

LC_SECMENT (_M PRESS_v,2.1Z} 
LC UNIXTHREAD 



Offset 



Data 

99000905 
9900095a_ 
99000901 
99009910 



99000964 
99000968 
9900096C 
99000970 
99000974 
99000978 
9900097C 
99000980 
99000984 
99000988 
9900098C 
99000990 
99000994 
99000998 



99000900 
99000900 



99000900 
99000900 
99000900 
99000900 
99000900 
99000900 
99000900 
990714EB 
99000900 



99000900 



Description 



CQirmand 
Command Size 



Flavor 
Count 



eax 
ebx 
ecx 
edx 
edi 
esl 
ebp 
esp 
ss 

ef lags 

elp 

cs 

ds 

es 

-EE 



Value 



LC UNIXTHREAD 



xa6_THREAD_STATE32 
16 



0 

9 
9 
9 
9 
0 
9 
9 
9 

464059 
9 
9 
9 

_a 




Two unpacking stubs. 



The first pointed by the entry point. 
Located at the end of the packed data. 



0x0 


0x1000 


0x51000 


0XS10A4 




0x71 4BB 


FagoieTD 


AllQcafted memory 


MPress 
header 




Packed Data 





000714E7 


push 


edi 


000714E8 


push 


OFFFFFFFFh 


000714EA 


push 


1012h 


000714EA 






000714EF 


push 


7 


000714F1 


push 


ebx 


000714F2 


push 


ecx 


000714F3 


lea 


esij [ecx+lCh] A 


OOO714F6 


call 


sub_71519 1 


OOO714FB 


pop 


ecx ^ 


OOO714FB 






OOO714FC 


pop 


edx 


OOO714FC 




i 


QOO714FD 


call 


sub_71534 1 


00071502 


or 


ebp, ebp 


00071504 




short loc 7150E 


OOO715O6 


add 


esp, 404h 


0007150c 


pop a 




OOO715OD 


pop 


eax 


OOO715OE 






OOO715OE 


loc 715OE: 




OOO715OE 




loc_71750 


OOO715OE 


start endp j 


sp=analysis failed 



offset 
fd 

flags 

MAPANON I MAPFIXED 
prot: RWX 
len: 0x00050000 
start addr: 0x00001000 



MAP FIXED MAP PRIVATE 



imap 

0x00001000 

where to start unpacking 
OXOOO51OA4 

where packed data starts 
unpack data and the next stub 



; CODE XREF: start+49tj 

; jump to the 2nd stage stub 





• Continue execution at the second stub. 



0007175(3 
00071750 

00071750 loc 71750: 



START OF FUNCTION CHUNK FOR 



start 



CODE XREF: 



00071750 
00071750 



jmp loc_51000 

END OF FUNCTION CHUNK FOR 
00071750 HEADER ends 
00071750 

00071750 

00071750 end 



:loc_7150ETj 



0x0 


0x1000 


0x51000 


0x51 0A4 




0x71 4BB 


FngozorrD 


Allocated memory 


niPress 
header 




Packed Data 


^ Initial Stub 



0x0 0x1000 



0x51000 0X510A4 



0x71 4BB 



PagoierD 


Original Unpacked Binary 


Secondary 
Stub 


Packed Data 


Initial Stub 




• Restores original memory protections of each 
segment. 

• Maps the linker (dyld). 

• Sets the initial stack and environment variables. 

• Jumps to dyld_start. 

• And dyld jumps back to the original entry point. 





• Essentially it replicates what happens with a 



normal binary. 



00()-j-:jrr loc 51056: 




1 CODE XREF: segOO0:OO051O02tj 


pop 


eax 


; pointer to linker path from the LCLOADDYLINKER command 


push 


edi 


push 


edi 




push 


eax 




call 


doopen 




mov 


ebx, eax 




mov 


esi, esp 




push 


edi 




push 


edi 


; offset 


push 


400h 


; size 


push 


esi 


; buf 


push 


eax 


; fd 


call 


do pread 




call 


5ub_5109C 


; process linker 

; this will map dyld into its memory set on the header 


push 


ebx 




00051077 call 


doclose 






: Of ji)';;' l) / 


add 




esp, 400h 




call 




$+5 




pop 




eax 




add 




eax, OEh 




mov 




[eax], edi 




popa 








call 




sub_51099 


: 00051095 


db 


0 




: 0005 109 5 








: 00051096 


db 


0 




: 00051097 


db 


0 




: 0005 109 8 


db 


0 




: 00051099 








: 00051099 J === 




= = : 


:= S U B R 0 



; sets the stack and env variables 



; puts here the entry point for dyld? 
; address oi dyld dyldstart 



I N [ 



0005109s 
00051099 

00051099 sub_51099 pxoc near 
00051099 pop eax 

000 5 109 A jmp dword ptr [eax] 



; CODE XREF: segOOO:00051090tp 

; jump to dyld dyldstart and start the backdoor 




• The original entry point can be easily found. 

• Using gdbinit's dumpmacho command and 
otool. 

• Or dump memory and use otool, MachOView, 
IDA. 





Load command 10 

Cfnd LC_UNIXTHREAD 
cmdsize 80 

flavor i386_THREAD_STATE 
count i386_THREAD_STATE_COUNT 
eax 0x00000000 ebx oxoooooooo ecx oxoooooooo edx oxoooooooo 
edi 0x00000000 esi oxoooooooo ebp oxoooooooo esp oxoooooooo 
ss 0x00000000 eflags oxoooooooo elp oxoooo2doo cs oxoooooooo 
ds 0x00000000 es oxoooooooo fs oxoooooooo gs oxoooooooo 




• The moment it's ready to jump to dyld_start 
we have a Mach-O binary in memory 

• No further protections. 

• MPRESS is nothing more than a shell for the 
original binary 





• Same GDB problem as the dropper 

• Modify entry point address to a INT 3h. 

• And also the jump to the second stub. 

• If you use gdbinit script use the int3/rint3 
commands for the second breakpoint. 




Program received signal SIGTRAP, Trace/breakpoint trap, 
0K000714bc in ?? {) 



EAX: 0K00000000 EBX: 
ESI: 0K00000000 EDI: 



0x00000000 ECX: 
0x00000000 EBP: 



0K00000000 
0K00000000 



EDX: 0K00000000 
ESP: 0KBFFFFC0B 



0 d 



■[ regs] 
I t s z 



ape 



EIP: 0K000714BC 



CS: 001B 


1 DS: 


0023 


ES: 0023 


FS: 0000 GS: 


0000 SS: 0023 


0x714bc: 


90 






nop 




0x714bd: 


Bb fb 






mov 


edi, ebx 


0K714bf : 


eB 00 


00 00 


00 


call 


0x714c4 


0k714c4: 


5B 






pop 


eax 


0k714c5: 


05 7c 


02 00 


00 


add 


eax, 0)c27c 


0x714ca: 


ff 30 






push 


DV;ORD PTR [eax] 


0x714cc: 


60 






pusha 




0x714cd: 


Bb 03 






mov 


ecK, DWORD PTR [eaxl 



o 



gdb$ int3 0x71750 
gdb$ c 

Program received signal SIGTRAP, Trace/breakpoint trap, 
0x00071751 in ?? {) 



[ regs] 

I t s z a P c 



EAX: 0X000501C3 EBX: 0x00050000 ECX: 0x00020416 EDX: 0X000510A4 o_d 

ESI: 0X0000101C EDI: 0x00000000 EBP: 0X000019E4 ESP: 0xBFFFF7E0 EIP: 0x00071751 
CS: 001B DS: 0023 ES: 0023 FS; 0000 GS: 0000 SS: 0023 



0x71751: 


ab 




stos 


0x71752: 


fB 




clc 


0x71753: 


fd 




std 


0x71754: 


ff 


00 


inc 


0x71756: 


00 


00 


add 


0X7175B: 


00 


00 


add 


0x7175a: 


00 


00 


add 


0x7175c: 


00 


00 


add 



DWORD PTR es: [edi] , eax 



DWORD PTR [eax] 
BYTE PTR [eax] , al 
BYTE PTR [eax] , al 
BYTE PTR [eax] , al 
BYTE PTR [eax] ,al 



[code] 



gdb$ I 




gdb$ rint? 
gdb$ conteKt 

( regs] 

EP>K: 0K00eS01C3 EBX: 9^00050000 ECA: 0x00020416 EDX: 0K000S10A4 odltszaPc 
ESI: 0K0000101C EDI: 0K00000000 EBP: 0K000019E4 ESP: 0KBFFFF7E0 EIP: 0x00071750 
CS: 001B DSi 0023 ES: 0023 FS ; 0000 GS; 0000 SS: 0023 
— (coda] 



0K71750: 


e9 


ab fB fd ff 




0K51000 




0K71755: 


00 


00 


add 


BYTE PTR 


[ eax] , a I 


0K71757: 


00 


00 


add 


BYTE PTR 


[ eax] , al 


0K71759: 


00 


00 


add 


BYTE PTR 


[eaK] , al 


0K7175b: 


00 


00 


add 


BYTE PTR 


[ eaK] , al 


0K7175d: 


00 


00 


add 


BYTE PTR 


[eaK] , al 


0K7175f : 


00 


00 


add 


BYTE PTR 


[eax] , al 


0K71761: 


00 


00 


add 


BYTE PTR 


[ eax] , al 



gdb$ I 




• Technically it's dumping not unpacking 

• A custom debugger 

• Four breakpoints used. 

• Perfect dump. 

• No need to fix anything: imports, etc. 




Find out address and size of the unpacked area. 



0x0 0x1000 



0x51000 0XS10A4 



0x71 4BB 



Pagezero 



AlHocated memory 



M Press 
Mach-O 
header 



Packed Data 



Initial Stub 



OO0714EA 


push 


I012h 


I -Flags 


OOO714EA 






; MAP ANON MAP FIXED MAP PRIVATE 


OOO714EF 


push 


7 


; prot: RWX 


OOO714FI 


push 


ebx 


; len: OxOOOSOOOO ^^^h 


OOO714F2 


push 


ecx 


; start addr: OxOOOOlOCX) ^^^^ 


OOO714F3 


lea 


esi, [ecx+lCh] 




OOO714F6 


call 


sub 71519 


I map 




• Set after the unpacking is done. 

• Find out the jump to the second stub. 



CIOO7150E loc_7150E: ; CODE XREF: start+49tj 

OOO715OE jmp loc_71750 1 jump to the 2nd stage stub 

0007 150E start en dp j sp- analysis failed 



: 00071750 ; START OF FUNCTION CHUNK FOR HiSili 






: 00071750 


=00071750 loc 71750: 


; CODE XREF: ■ 


aH:loc_7i50ETj 


: 00071750 jmp loc 51000 






: 00071750 ; END OF FUNCTION CHUNK FOR EBEIW 






: 00071750 HEADER ends 






100071750 






=00071750 






: 00071750 end 








• Set inside the second stub. 



• We can't dump memory yet. 



• Best place is on the jump to dyld_start. 



00051099 sub_51099 proc near j CODE XREF: segOOO:OO051O9Otp 

00051099 pop eax 

0005 10 9 A jmp dword ptr [eax] ; jump to dyld dyldstart and start the backdoor 

OOO5IQ9A sub_51099 endp ; sp-analysis failed 




Located in the jump to dyld_start instruction, 
We have the binary in memory. 
Dump to disk. 



Kill target binary 



0X0 0X1000 



OXS1000 0X510A4 



Pagezero 



Original Unpacked Binary 



Secondary 
Stub 



Packed Data 



V 



0X714BB 



I 



Initial Stub 




• It's a dumper so you should run it in aVM. 

• Check my github in a couple of days. 



© O MPRESS Dumper 











: ^ 


Sojrce 


1 


f S 

Select 














Target 






Save As 








DUMPI 








• Not all samples can be just dumped. 

• Possible differences between size in memory 
and size in file. 

• A simple dump can have file offsets pointing to 
wrong data. 




BOO 



^ RAW ^ RVA 



'Executable (XS6) 
*Mach Header 
T Load Commands 
*LC_SEGMENT 0 
► *LC_SEGHEhlT CTEXTJ 



► *LC_SECMENT {_DATA) 



► *LC_SEGMENT (_OBJC) 
*LC_SEGMENT LLINKEDIT) 
*LC_DYLD_INFO_ONLY 
*LC_SYMTAB 
*LC_DYSYMTAB 
*LC_LOAD_DYLINKER 
*LC_UUID 

* LC_V ERSION_MIN_MAC0SX 
*LC_UNIXTHREAD 

*LC_LOAD_DYLIB(SystemConfiQuration) 
*LC_LOA[>_DYLIB (AudioTootbox) 
*LC_LOAD_DYLIB (Cocoa) 



Processing in bacltground., 



Q samplebheader 



Offset 



Data 



9000026C 00000258 



DescripJtion 
Cammand 
Comniand Size 



00000270 5F5F4441544100000000000,, 

00000280 00056000 

00000284 00004000 

00000288 00055000 

0000028C 00003000 

00000290 00000007 



00000294 00000003 




_|yarue 

LC_SEG*1ENT 



00000298 00000008 
0000029C 00000000 



Segment Name 
VM Address 
VM Size 
File Offset 
File Size 

Maxi/num VM Protection 

00000001 
00000002 
00000004 

Initial VM Protection 

00000001 
00000002 

Number of Sections 
Flags 



■Si 



_DATA 

0x56000 

16364 

348160 

12266 

VM_PROT_lREAD 

VM_PROT_WRITE 

VM_PROT_EXECUTE 

VM_PROT_READ 
VM_PROT_WRITE 

B 




• This is the memory layout of another sample. 



0x0 


0x1000 


OxSGOOO 


OxSADDO 


0x01000 


PagsHro 


_TEXT SEGMENT 


_DATA SEGMENT 


_OBJG SEGMENT 






0x55000 


0x4000 


0x7000 


0X45DC 





What headers say we should have 

0x0 0x55000 


0x58000 


OxOFOOO 


_TEXT SEGMENT 


_DATA SEGMENT 


OBJC SEGMENT 


^ LINKEDIT SEGMENT 

m 


0x55000 


0x3000 




0x7000 


0x45 DC 




What do we have on disk from simple dump 

0x0 0x55000 0x50000 


0X5F00O 


_TEXT SEGMENT 


_IMVrA SEGMENT 


OBJCSEG 


j^^lNKEDIT SEGMENT 


0x55000 


0x4000 




0x7000 


0X45DC 




• The DATA segment is Ox 1 000 bytes too bi^ 

in the dumped image. 

• Dumped binary will crash. 

• Because OBJC and LINKEDIT are pointin 

to bogus data on disk. 




• Headers must be parsed before dumping 

• Use the file size (and offset) to dump the 
correct sizes to disk. 

• Nothing else needs to be fixed. 




• Hooks the system logging function. 



mov [ebp+var 10 J , eax 

mov eax, ds:7_asl_send_reentiy_ptr - 4792h)[esi] 

mov [esp+OCh], eax 

lea eax, (sub_4B6C - 4792h)[esi] 

mov [esp+8], eax 

lea eax, (aLibsystemc - 4792h)[esi] ; "libsystemc" 

mov [esp+4], eax 

lea eax, (aaslsend - 4792h)[esi] ; "aslsend" 

mov [esp], eax 

call mach override 




• The core is the [RCSMCore runMeh] method. 

• Responsible for initialization. 

• Loading modules. 

• Installing missing settings. 



• Two shared memory segments created in /tmp. 

• Size: 1 6kbytes and 3megabytes. 

• Name: /tmp/launchch-xxxx. 

• A semaphore: sem-mdworker 




• Anti-debug measure # I . 

• A dormant thread that checks for debugger 
presence and exits if present. 

• SysctI anti-debugging (Tech note QA 1361). 

• Easy to bypass, just remove call to new thread. 




• Advance EIP or just NOP that call. 



!00004BOD 


mov 


;00004B13 


mov 


!00004B13 




;M004B19 


mov 


;00004B1F 


mov 


;00004B23 


mov 


;O00O4B23 




!00O04B27 


mov 


;00004B2B 


mov 


!00004B2E 


mov 




call 


;OO004B36 




;00004B36 





ecx, 




clsaNsthread - 4792h)[esi] : class: "NSThread" 
msgaOetachnewthrea - 4792h)[esi] ; message: 

\ "detachNewThreadSelector : toTarget : withObject : " 
4792h)[esi] \ message: "x-frth" 



edx, ds : (msgaXf rth - 
|esp+OCh], ebx 
|esp+8], edx 

;esp+4], ecx 

espjf eax 
dword ptr [esp+lOh]^ 

objcmsgSend 




"xfrth" 
OxF2B9 



detachNewThreadSelector : toTarget : withObject : 
Detaches a new thread and uses the specified selector 
as the thread entry point. 



0C10OF2E2 






OO00F2E2 


loc_ 


F2E2: 


nnnnF2F2 




test 


OOOOF2E9 






30F2EF 




mov 


OOOOF2F6 




call 


0000 F2FB 






0000F2FB 


loc_ 


F2FB: 


0000F2FB 




mov 


0000 F 305 




mov 


0000 F 30c 




mov 


0000 F313 




mov 


0000 F31A 




call 


OOOOF31F 




mov 


OOOOF322 




mov 


O0OOF32C 




mov 


OOOOF33O 




mov 


0000 F334 




mov 


OOOOF337 




mov 


0000 F33F 




mov 


0000 F 347 




mov 


0000 F 34 F 




call 


0000 F354 




test 


OOOOF356 






OOOOF358 




mov 


OOOOF35E 




lea 


OOOOF364 




mov 


OOOOF368 




lea 


OOOOF36E 




mov 


OOOOF372 




lea 


OOOOF378 




mov 


OOOOF37B 




mov 


OOOOF383 




call 


OOOOF388 






OOOOF388 


loc_ 


F388: 


OOOOF388 




mov 


0000 F38F 




call 



bp+var_lF7], 8 
loc_F388 

dword ptr [esp], 0C35Oh 
_usleep$UNIX2(X)3 



CODE XREF: -[RCSMCore xfrth]+9Dij 




dword ptr [ebp-lF8h], 0 
|ebp+var_lCL 1 
|ebp+var_l8| , OEh 

'ebp+var_14], 1 
Retpid 

ebp+varlO], eax 
|ebp+var 20C]^ lECh 
|esp+0Ch7, esi ; size t 

|esp+8]^ edi ; void * 

|esp], ebx j int * 

dword ptr [esp+14hL 0 ; size t 
dword ptr |esp+loh], 0 ; void * 
dword ptr [esp+4], 4 1 uint 

sysctl 
eax, eax 
short loc_F2E2 
esi, [ebp+var_210] 
edi, loc 3000B[esi] 
[esp+OChy, edi ; char 

edi, [esi+2FFD0h] 
[esp+4], edi ; char 

esi, [esi+2FFBEh] 
[esp], esi ; char 

dword ptr [esp+8], loggh ; int 
assert rtn 



CODE XREF: -[RCSMCore xfrth]+27tj 



char * 
char * 



char 



■ CODE XREF; 
dword ptr [esp], OFFFFFFFFh ; int 
exit 



[RCSMCore xfrth]+30tj 



• Anti-debugging #2. 



• If you want to debug the backdoor module 
isolated. . . 



• You need to patch a check for configuration. 



: 000 18 DDI rnov ecx, ds: (msg aLoadconfigurat - lSD9Dh)[esi] \ message: "loadConfiguration" 

:00018DD7 mov [espM], ecx 

:00018DDB mov [esp], eax 

:00018DDE call _objc_msgSend 

:00018DE3 cmp al, 1 

:000l8DE5 jnz short loc_l8E48 \ config successfully loaded? 

:OQQl8DiE5 ■ call exit(-l) if not 




Anti-debugging #3. 



Patch to avoid self-uninstall, 



Later on, why this happens, 



:O0O14OE{3 


call 


objcmsgSend 




:0{X}140E5 


test 


eax^ eax 




:0{30140E7 




loc 14226 


\ always jump to avoid uninstall 




• Creates a LaunchAgent for logged in user 

• Named com. apple. mdworker 

• Maybe create a more credible intermediate 
stub that forks and calls the main backdoor? 

• Too easy to detect. . . 





<? ml verslon="l.O" encoding="UTF-8"?> 

<! lOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.eom/DTDs/PropertyList-l.0.dtd"> 

<|jiist version="i.o"> 

<dict> 

<key>Label</''- '> ^^^^^ 
<strinr>com. apple .mdworker</string> ^^^^^H 

<key> Limit LoadToSessionType</key> ^^^^^^ 
<string>Aqua</string> 
<key>OnDemand</ > 
<false/> 

<key>ProgramArguments</key> 
<arrd^> 

<string>/Users/reverser/Library/Pref erences/0vzD7xFr . app/8oTHYMCj . XI1</ tring> 
</arrav> 

<key>StandardErrorPath</key> 

<string>/Llsers/reverser/Library/Preferences/OvzD7xFr.app/ji33</string> 
<key>StandardOutPath</key> 

<string>/Llsers/reverser/Library/Preferences/0vzD7xFr.app/ji34</string> 
</ilct> 
</plist> 





push 

mov 

push 

sub 

call 

pop 

mov 

mov 

mov 

mov 

mov 

mov 

lea 

mov 

mov 

mov 

call 

movsx 

add 

pop 

pop 
retn 



ebp 

ebp, esp 
esi 

esp, 14h 

$+5 

eax 

ecx, dsiC^glttilptr - 8Fl6h)[eax] 



ecx, [ecx 



edx, ds:( gBackdoorNameptr - 8Fl6h)[eax] 
edx, [edx] 

esi, ds:(msg_aCreatelaunchag - 8F16h)[eax] ; message: "createLaunchAge 
[esp+OCh], edx 

eax, (cfs_aCom_apple_md_3-isa - 8Fl6h)[eax] ; "com. apple. mdworker" 

|esp+8], eax 

|esp+4], esi 

|esp], ecx 
_objc_msgSend 
eax, al 
esp, 14h 
esi 
ebp 




RCSrtCore ma keBackdoorResident_ endp 



o 



I 




• There are at least three encryption keys. 

• Two hardcoded for log and configuration. 

• The session key dynamically negotiated with the 
server 

• C&C traffic over HTTP 




00045500 public _gLogAesKey 

00045500 _gLogAesKey dd 2E76l-DDCh 
00045504 dd 0E379AD7h 

00045508 dd 828ED938h 

0004550C dd 0A4DB2917h 



00045530 public _gConfAesKey 

00045530 _gConfAesKey dd 0B272C976h 
00045534 dd 0C583B7F7h 

00045538 dd 85D23BADh 

0004553C dd 2C889690h 



1 



m 



; DATA XREF: nl_symbol_ptr :_gLogAesKey_ptr'^ o 



; DATA XREF: nl_symbol_ptr:_gConfAesKey_ptr' o 



; DATA XREF: nl_symbol_ptr :_gSessionKey_ptr'^ o 




• Log and configuration files are encrypted with 
AES 128 CBCnull IV 

• openssi enc -d -aes- 1 28-cbc -in ok20utla.3-B -K 
"76c972b2f7b783c5ad3bd2859096882c" -iv 0 - 
out config.decrypted 





aaaaaaa:diopped reverser$ openssl enc -d -aes-l28-cbc -in ok20utla.3-B -K "75c972b2f7b783c5ad3bd2859095882c" -iv 0 -out config.dec 

rypted 

bad decrypt 

697:error:0606506D:digital envelope rojtines:EVP_DecryptFinal_ex:wrong final block length:/SourceCache/OpenSSL098/OpenSSL098-50/sr 
c/crypto/evp/evpenc. c :323 : 

aaaaaaa:dTopped reverser$ hexdump -C config. decrypted | more 



00000000 


C7 


89 


8f 


13 


a6 


4d 


97 


ce 


oe 


C7 


b8 


33 


cd 


99 


d4 


fb 


M 3. . 




00000010 


15 


cf 


97 


2b 


ac 


bo 


04 


87 


b8 


54 


45 


ad 


9d 


03 


9a 


le 


... + dE... 




00000020 


7b 


b4 


ab 


36 


ef 


65 


4d 


94 


95 


aa 


31 


4f 


7c 


67 


d7 


be 


{. .6.6M. . .10| . 




00000030 


ef 


eb 


4b 


f7 


d3 


6f 


f8 


24 


85 


51 


03 


ea 


51 


23 


3b 


00 


. . K . . 0 . $ . a . . 0# 




00000040 


fl 


ed 


5c 


ba 


44 


5e 


c6 


d3 


5d 


85 


42 


4b 


df 


5d 


ad 


b9 


. .l.D'^. . ] .BK. ] 




00000050 


26 


2f 


fo 


75 


11 


07 


a2 


be 


C4 


2e 


30 


55 


ca 


64 


06 


c4 


S/.u OU. . 




00000060 


09 


3b 


74 


f6 


6c 


2C 


94 


fb 


d6 


5C 


Ob 


4d 


98 


If 


86 


64 


. jt.lj . .A.M. . 




00000070 


55 


9d 


86 


2c 


41 


b6 


fd 


79 


bd 


d6 


ao 


53 


31 


do 


97 


7a 


U..jA..y...cl. 


. z 


00000080 


3e 


ec 


eb 


58 


d7 


ab 


37 


94 


05 


31 


16 


dc 


64 


00 


b5 


al 


>. .X. .7. .1. .d. 




00000090 


24 


la 


ee 


e6 


5d 


26 


97 


b8 


be 


5b 


38 


98 


fc 


11 


4a 


53 


$...]S...k8... 


3S 


ooooooao 


f9 


92 


ff 


7d 


07 


cf 


da 


d5 


3e 


98 


89 


01 


f6 


56 


bb 


f2 


. . .} > V 




oooooobo 


fb 


3f 


C4 


2d 


38 


fd 


C5 


4e 


53 


Cl 


8a 


33 


37 


69 


d2 


90 


. ?.-8. .N5. .37. 




OOOOOOCO 


40 


54 


54 


2f 


ec 


b9 


be 


eo 


fo 


35 


51 


C5 


54 


C4 


ea 


24 


@Td/ 5Q.T. 




OOOOOOdO 


6e 


e6 


79 


18 


8e 


a9 


df 


19 


33 


bd 


04 


02 


d3 


13 


73 


fd 


n-y 




ooooooeo 


of 


2C 


b6 


f6 


6a 


76 


37 


C6 


ce 


la 


2f 


8c 


C2 


64 


12 


77 


.,..jv7.../..d 




oooooofo 


43 


54 


00 


8a 


aa 


f9 


59 


71 


b8 


37 


af 


Ob 


5e 


ab 


C5 


5a 


Cd Yq.7. 


.1 


00000100 


f5 


8b 


98 


9b 


Oe 


14 


23 


90 


5d 


38 


al 


20 


fd 


d9 


83 


6a 


#.[Tl8. .. 


■ j 


00000110 


82 


5a 


37 


b5 


b8 


62 


5d 


63 


28 


93 


bl 


36 


df 


8c 


fe 


6f 


.17. .b]c(. .6. . 


.0 


00000120 


6d 


a8 


a2 


04 


21 


Oa 


2b 


bd 


07 


bd 


67 


41 


as 


7d 


a3 


c4 


m.. . ! .+ A.} 







S O O f 

Save Copy Cp^ Paste Undo Redo 



ok20utla.3-B 



(5 



ex ^ (Q" Text search ^ 

Go To Offset Find (Text search) 



000 00 

020 D3 

040 13 

060 07 

080 8D 

0A0 F6 

0C0 34 

0E0 ZD 

100 E0 

120 E9 

140 SB 

160 92 

180 BB 

1A0 B3 

1C0 E7 

1E0 31 

200 06 

220 52 

240 ED 

260 FB 

280 28 

2A0 Fl 



00 00 
CD F8 
05 70 
11 26 
58 7D 
FF 07 
91 25 
F0 73 
5E 2D 
IC 9B 
9F 02 
00 89 
F4 12 
CE 53 
03 90 
CB 87 
16 51 
09 31 
36 2A 
IB B3 
DC 61 
69 F6 



00 00 
AD 10 
24 60 
IC EC 
AF 6C 
66 BF 
97 58 
70 B0 
4D 95 
AA BD 
62 18 
48 65 
5D 53 
AC BB 
4E D7 
77 7D 
D0 85 
38 7E 



B0'82 



00 00 
F5 52 
63 0D 
7E 85 
IB B6 
ED 32 
19 7A 
88 D0 
ID CI 
B6 D2 
7A 3D 
5C 39 
34 02 
69 C9 
C0 69 
3B 33 
95 B7 
65 5B 
41 D7 
17 3C 
75 Bl 
C8 9D 



00 '6F AA 
67 ^B CD 
D7 CA 8D 



5D 53 
C7 A5 
2A IB 
81 59 9D 
CF 5B FF 
CC EB 9E 
E8 2A 4F 
DD 58 7B 
85 10 8B 
DF FD 0A 
BA 53 IF 
08 B4 8F 
A0 7B CB 
EA 63 57 
5E F5 IC 
81 16 
BE ED 
4B 3E 12 
A9 BA 3C 



45 F4 

06 93 
E9 9F 

07 F0 
2B 8B 
0A 61 
53 B7 
D2 CI 
5D 89 
69 97 
5A 80 
81 43 
94 40 
69 37 
CI B9 
E6 28 
3A BC 
52 62 
C3 E7 
ED C7 
05 C3 
EB CC 



CD 40 
DA D2 
91 BD 
Fl 8F 
62 20 
7D 00 

00 7E 

01 A5 
37 B5 
El Fl 
90 9A 
61 34 
AB BA 
80 21 
BC 33 
73 3C 
69 FF 
31 86 
D5 34 
ID E0 
2E A6 
CA 96 



B5 39 
B4 41 
55 A2 
9B 59 
CI 3E 
6B 3E 
D7 B9 
12 32 
73 72 
F4 61 
30 D6 
73 82 
El 4C 
AF 48 
28 7F 
55 D6 
8E DA 
71 13 
5F 7B 
FS D7 
D7 CA 
00 AB 



58 0B 
DF 77 
94 A9 
3F 42 
4A B2 
IC 7F 
A4 33 
62 A0 
F8 F8 
07 0D 
11 92 
F3 2C 
88 60 
5B 73 
BC 10 
CE 23 
9D 43 
54 C8 
Bl 24 
C8 6E 
EC lA 
56 CA 



ED 98 DA 
24 74 16 
2D 83 IE 
88 20 E3 
EC FB 19 
AC E9 83 
40 05 C9 
C8 5D IE 
7C FD 41 



21 B6 
21 A5 



53 44 E9 



8D 2B 
42 D8 

87 9B'92 
DA B6 B5 
A4 SB 85 
CF 14 C8 

88 Fl 8F 
D9 AD 62 
DE 17 Fl 
D7 FA F4 



D7 94 C8 FB 90 7A CD DB 50 4D 30 o.E..@.9X Z..PM0 

34 E4 22 F9 32 81 DB F8 B4 26 B7 RgK A.w$t.4.".2 &. 

CC D0 5A 2C 93 20 C2 01 EF 31 16 ..p$~c U...- Z,. ...1. 

80 2E 87 2B 4B FE 4A 49 68 62 26 ..S<..~.0]S Y?B +K.JIhbS, 

B0 27 A0 73 C2 98 Fl 53 74 EB 5B .X}.1 +.b .>J '.s...St.[ 

CF BC 63 9F 3E C6 4A 4F D8 A2 IF . . .f. .2.*. .a}.k> o.JO. . . 

B8 E5 47 IF IF AE 63 B0 B0 6D 6A 4.5S.X.Z. Y. S. .-. . .3@i G...c..mj 

25 22 09 AF AF 95 F4 69 57 30 IE -.sp [ 2b..].X" iW0. 

2E 55 F3 12 99 34 A2 5E 28 DD 75 .A-M ] . 7. sr. . I . A. U. . .4. AC ■ u 

01 DB DE F3 77 49 FF 18 B7 lA DF *0i a..!.\ wl 

74 99 C3 6C CE 43 5F 18 30 A3 9A . . .b.z=.X{Z. . .0. . . ! . .t. .1.C_.0. . 

CE 85 33 08 F3 A6 5C 69 CA 5E 3B . . . He\9 Ca4s. . ,SD. . .3. . A; 

E5 IB 6F C3 8F 0E 9B 58 BB 67 57 ...]S4 @. .. L .'.+... o X.gW 

C6 2D 43 4F DE 09 BE 21 34 63 25 . .5. .1. .S.i7. ! .H[sB.x.-CO. . . !4c5S 

03 45 3B 28 41 94 Dl BE B0 61 23 ...N..i 3C E;CA a# 

34 84 AD EE 9D AF 38 5B 50 72 83 1. .w};3.{. .Cs<U. .#. . .4 8[Pr. 

67 CI 67 F2 F4 Al 5D 72 45 6C C4 ..Q cW:.i C. . . g. g. . . ]rEl . 

F0 87 F4 14 E6 AA C2 5A 48 AA 2D R. 18~e[A. . Rbl. q.T ZH.- 

57 B2 71 El 99 F5 04 2C 2D E6 AA .6*.>A 4_{.$...W.q -.. 

FS EE 35 A5 FE F9 FD 7F 9F 05 AA J.< n..b..5 

Al AE 58 76 5E 6D 28 50 EE D3 A9 C-aB>u.K> XvAmCP. . . 

El D7 4d|| I .1 < V M 



I Value 



Type 

1 8 bit signed 
' 8 bit unsi... 

16 bit signed 
1 16 bit uns... 

Hex Little Endian Insert 



I 



ASCII 



Offset: 2B8 Selection: 0 




• Those initial NULL bytes are there just to annoy 
OpenSSL 

• Can be safely removed. 

• OpenSSL still complains but decrypts correctly 

• Just create small utility calling CCCrypt. 





aaaaaaa: dropped reverser$ openssl enc -d -aes-l28-cbc -in ok20utla.3-B. fixed -K "76c972b2f7b783c5ad3bd2859096882c" -iv 0 -out conf 
bad decrypt 

763 : error : 06055054: digital envelope routines : EVPDecryptFinalex : bad decrypt: /So urceCache/0penSSL098/0penSSL098- 5 0/src/crypto/evp/ 
evp_enc.c:330: 

aaaaaaardiopped reveiserS hexdump -C conf ig. decrypted | more 



00000000 


a2 


02 


00 


00 


45 


56 


45 


4e 


54 


43 


4f 4e 


46 


53 


2d 


00 


EVENTCONFS-. 


00000010 


03 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


10 


00 


00 


00 




00000020 


01 


00 


00 


00 


60 


ea 


00 


00 


00 


00 


00 


00 


ff 


ff 


ff 


ff 




00000030 


01 


00 


00 


00 


01 


00 


00 


00 


23 


00 


00 


00 


ff 


ff 


ff 


ff 


# 


00000040 


00 


00 


00 


00 


00 


de 


ad 


6d 


00 


73 


00 


70 


00 


61 


00 


69 


m.s.p.a.i 


00000050 


00 


5e 


00 


74 


00 


2e 


00 


65 


00 


78 


00 


65 


00 


00 


00 


00 


.n.t...e.x.e.... 


00000060 


00 


00 


00 


01 


00 


00 


00 


10 


00 


00 


00 


02 


00 


00 


00 


00 




00000070 


80 


8d 


2f 


64 


26 


cd 


01 


ff 


ff 


ff 


ff 


02 


00 


00 


00 


01 


. ./da 


00000080 


00 


00 


00 


01 


00 


00 


00 


2a 


00 


00 


00 


00 


00 


00 


00 


00 




00000090 


00 


00 


00 


00 


90 


01 


00 


31 


37 


38 


2e 


37 


39 


2e 


31 


34 


178.79.14 


ooooooao 


36 


2e 


31 


36 


37 


00 


52 


43 


53 


5f 


30 


30 


30 


30 


30 


30 


6.167. RCS 000000 


oooooobo 


30 


33 


32 


39 


00 


01 


00 


00 


00 


05 


00 


00 


00 


00 


00 


00 


0329 


OOOOOOCO 


00 


41 


47 


45 


4e 


54 


43 


4f 


4e 


46 


53 


2d 


00 


13 


00 


00 


.AGENTCONFS- 


OOOOOOdO 


00 


11 


10 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


40 


01 


00 


@.. 


ooooooeo 


00 


00 


00 


00 


00 


08 


00 


00 


00 


00 


00 


08 


00 


05 


00 


00 




oooooofo 


00 


e9 


e9 


00 


00 


00 


00 


00 


00 


08 


00 


00 


00 


Of 


00 


00 




00000100 


00 


32 


00 


00 


00 


c6 


C6 


00 


00 


00 


00 


00 


00 


00 


00 


00 


.2 


00000110 


00 


d9 


d9 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


CO 


02 


00 




00000120 


00 


00 


00 


00 


00 


14 


00 


00 


00 


00 


00 


00 


00 


01 


00 


00 







• How to trace all encrypt/decrypt operations. 

• Two methods: 

— encrypted With Key: 

— decryptWithKey: 

• Or breakpoint in CCCrypt and dump its 
parameters. 




O O O D config_file_decrvpted 

^ ''^Hex ^' ''Q- Text search 



cn.to Copy Cut Paste L'ido Redo Co To Offset Find CTeKt search) 



000 AZ 0Z 00 00 


45 56 45 4E 


54 43 4F 4E 


46 53 ZD 00 


03 00 00 00 


00 00 00 00 


00 00 00 00 


10 00 00 00 


01 00 00 00 


50 


. . . . EVEffTCONFS- 




0Z5 EA 00 00 00 


00 00 00 FF 


FF FF FF 01 


00 00 00 01 


00 00 00 Z3 


00 00 00 FF 


FF FF FF 00 


00 00 00 00 


DE AD 6D 00 


73 


.............. .ii .m.s 


04A 00 70 00 51 


00 53 00 5E 


00 74 00 ZE 


00 55 00 7S 


00 55 00 00 


00 00 00 00 


00 01 00 00 


00 10 00 00 


00 0Z 00 00 


00 


.p.a.l .n.t . . .e.st.e 


06F 00 80 SD ZF 


64 Z6 CD 01 


FF FF FF FF 


0Z 00 00 00 


01 00 00 00 


01 00 00 00 


ZA 00 00 00 


00 00 00 00 


00 00 00 00 


00 


. . ./cK .* 




094 90 01 00 31 


37 3S ZE 37 


39 ZE 31 34 


36 ZE 31 36 


37 00 5Z 43 


53 5F 30 30 


30 30 30 30 


30 33 3Z 39 


00 01 00 00 


00 


. . . 17S . 79 . 146 . 167 . RCS 00000003Z9 




0E3 05 00 00 00 


00 00 00 00 


41 47 45 4E 


54 43 4F 4E 


46 53 ZD 00 


13 00 00 00 


11 10 00 00 


00 00 00 00 


00 00 00 00 


40 


AGEhlTCOMFS- g 


0DE 01 00 00 00 


00 00 00 0B 


00 00 00 00 


00 0S 00 05 


00 00 00 E3 


E3 00 00 00 


00 00 00 08 


00 00 00 0F 


00 00 00 3Z 


00 


Z 




103 00 00 C6 C6 


00 00 00 00 


00 00 00 00 


00 00 D3 D3 


00 00 00 00 


00 00 00 00 


00 00 C0 0Z 


00 00 00 00 


00 00 14 00 


00 






IZB 00 00 00 00 


00 01 00 00 


00 01 00 00 


00 00 00 00 


00 00 00 00 


00 40 0Z 00 


00 01 00 00 


00 04 00 00 


00 01 00 00 


00 


................. e 




14D 00 00 00 00 


00 00 00 00 


Z4 00 00 00 


00 00 00 00 


00 00 00 00 


39 EZ CE 01 


00 IF ZB 36 


00 00 00 00 


00 00 00 00 


01 


S 9 +5 




17Z 00 00 00 00 


00 00 00 00 


00 00 00 7A 


DF 00 00 00 


00 00 00 18 


00 00 00 00 


00 00 00 00 


00 00 00 00 


00 00 00 43 


DE 


z C 




197 3Z 01 00 00 


00 00 00 00 


00 00 40 00 


00 00 00 00 


00 00 00 00 


00 00 01 10 


00 00 00 00 


00 00 lA 00 


00 00 00 00 


00 


Z. ....... ....................... . 




lEC 00 00 IF ZE 


36 33 EZ CE 


01 FF FF FF 


FF FF FF FF 


FF 00 7S 00 


00 00 00 CZ 


CZ 00 00 00 


00 00 00 0C 


00 00 00 00 


00 


. . .+69 .X 




lEl 00 00 05 00 


00 00 DC 00 


00 00 S0 0Z 


00 00 00 00 


00 00 08 00 


00 00 Z8 00 


00 00 ZS 00 


00 00 00 0Z 


00 00 00 00 


00 






Z05 00 00 00 00 


00 FA FA 00 


00 00 00 00 


00 00 00 00 


00 Z0 IZ 00 


00 00 00 00 


00 0S 00 00 


00 E0 33 04 


00 04 00 00 


00 






ZZB 00 01 00 00 


00 00 00 00 


04 00 00 00 


04 00 00 00 


B3 B3 00 00 


00 00 00 00 


10 00 00 00 


5A 00 00 00 


EF EE AD DE 


00 


Z 




Z50 00 00 00 00 


00 00 00 &0 


01 00 00 00 


00 00 00 0S 


00 00 00 EF 


BE AD DE 00 


00 00 00 4C 


4F 47 5Z 50 


43 4F 4E 45 


53 


.LOGRPCONFS 


Z75 ZD 00 00 00 


40 IF 00 00 


S0 3E 00 00 


00 00 4Z 53 


50 41 53 43 


4F 4E 45 53 


ZD 00 00 00 


00 00 45 4E 


44 4F 46 43 


4F 


.EYPASCOHFS-. . . . .ENDOFCO 


Z9A 4E 45 53 ZD 


DE 53 40 A5 


00 00 00 00 


00 00 00 00 


00 00 00 00 


00 00 








NFS-.Se 



Type 


Varue 1 


8 bit signed 


49 1 


& bit unsi... 


0x31 


16 bit signed 


14129 


16 bit uns... 


0x3731 



Hex Little Endian Overwrite ASCII Offset: 97 Selection: E 





eirNzlgd.CFp.decrypted LNRECISTERED ^ 



eiYNzlgd.Cfp.decrypted x 

. {"actions" : [{"subactions" : [{"module" : "device", "status" : "start", "action" : "niodule"),{"module" : "keylog", "status" : "start". "actBipiM 
ion" : "module"},{"module" : "mouse", "status" : "start", "action" : "module"}, {"module" : "password", "status" : "start", "action" : "modulBHHi 

e"}], "desc" : "STARTUP"},{"subactions" : [{"module" : "camera", "status" : "start", "action" : "module"}] , "desc" : "CAMERA"}, {"subaction 
s" : [{"wif i" :true, "stop" :false, "host" : " m«rfHWi t i i m " . "bandwidth" : 5000D0, "mindelay" :0, "maxdelay" :0, "cell" :f alse, "action" : "s 
ynchronize"}], "desc": "SYNC"}], "modules": [{"module" :"addressbook"},{"module":"application"},{"module":"calendar"},{"module" 
: "call", "record" :true, "compression": 5, "buffer" :5l2000},{"module": "camera", "quality" :"med"},{"module":"chat"},{"module":"cl 
ipboard"},{"position":true,"mic":true, "hook" :{"processes":[], "enabled" :true}, "synchronize" :false, "call" :true, "module" :"cri 
sis", "network":{"processes":[],"enabled":false},"camera":true},{"module": "device", "list":false},{"capture":false, "date": "2 
012-07-09 00:00:00", "open" :false, "module" : "file", "minsize" :i, "accept" : [ ], "maxsize" : 500000, "deny" : [ ]},{"vm" :o, "module" : "inf 
ection","mobile":false,"local":false,"factory":"","usb":false},{"module":"keylog"},{"module": "messages", "sms":{"fllter":{" 
datefrom": "2012-07-09 00:00:00", "dateto": "2100-01-01 

00:00:00", "history" : true}, "enabled" :true}, "mms" :{ "filter" :{ "datefrom" : "2012-07-09 00:00:00", "dateto" : "2100-01-01 
00:00:00", "history" :true}, "enabled" :true}, "mall" :{"fllter":{"datefrom": "2012-07-09 00:00:00", "dateto": "2100-01-01 00:00:00 
", "maxsize" : 100000, "history" :true}, "enabled" : true}}, {"module" : "mlc", "autosense" : false, "silence" : 5, "threshold" :0. 22}, {"modu 
le":"mouse","helght":50,"width":50},{"module":"password"},{"module":"position","wlfl":true,"gps":false,"cell":true},{"modu 
le" : "print", "quality" : "med"},{ "module" : "screenshot", "onlywindow" :false, "quality" : "med"},{ "module" : "url"}], "globals" :{"vers 
ion" : 2012041601, "wipe" :false, "collapsed" : false, "migrated" : false, "nohide" : [ ], "type" : "desktop", "advanced" :false, "removejriv 
er" :true, "quota" :{"min": 1048576000, "max" : 4194304000}}, "events" : [{"te" : "23 : 59: 59", "start" :o, "subtype" : "loop", "ts" : "00:00:00 
","enabled":true,"desc":"STARTUP", "event": "timer"},{"te": "23:59:59", "start":i,"subtype":"loop","ts": "00:00:00", "delay":i80 
,"repeat":l,"enabled":true, "desc": "CAMERA", "event": "timer", "iter":5},{"te": "23:59:59", "subtype": "loop", "ts": "00:00:00", "re 
peat" :2, "enabled" :true, "desc" : "SYNC", "event" : "timer", "delay" : 300}]} 



13 chararters selected 



Tab Size: 4 Plain Text 




• To start reversing, breakpoint method 
[RCSMTaskManager loadlnitialConfiguration]. 



OOOIOAIA mov ecx, ds:(cls aRcsmtaskmanage - 0FE6Chl esl^ ; class: "RCSMTaskManager" 

00010A20 mov edi, ds: (msgaSharedinstance - OFEGCh)[esi] ; message: "sharedlnstance" 

00010A26 mov resp+4], edi 

00010A2A mov [ssp], ecx 

00010A2D call _obJc_msgSend 

0O01OA32 mov edi, eax 

00010A34 mov ecx, ds: fclsaNsthread - 0FE6Ch)[esi] : class: "NSThread" 

00010A3A mov ebx, ds:(msg aDetachnewthrea - 0FE6ChVesi] ; message: "detachNewThreadSelector:toTarget:withObject: " 

00010A4O mov eax, ds: (msg aLoadinitlalcon - 0FE6Ch)[esi] ; message: "loadlnitialCon-Flguration" 

OOOIOA46 mow [esp+OCh], edi 

OOOIOA4A mov esp+8], eax 

0001OA4E mov |esp+4], ebx 

OOOIOA52 mov [esp], ecx 

OOQIOA55 mov dword ptr [esp+lOh], 0 

OOOIOASD call objcmsgSend ; detach thread to loadlnitialConfiguration 

00010A5D ; 0x18090 




^interface RCSHTaskManager : NSObject 
{ 

B(X)L mIsSyncing; 
NSMutableArray *mE vents List; 
NSMutableArray *rT!Act ions List; 
NSMutableArray *mAgentsList; 
int mBackdoorlD; 
NSString *mBackdoorControlFlag; 
BOOL mShouldReloadConfiguration; 
RCSMConfManager *niConf igManager; 
RCSMActions *mActions; 



N" 




^interface RCSMConfManager : NSObject 
{ 

NSData *mConfigurationData; 
RCSMEncryption *mEncryption; 

} 

- (idJinitWithBackdoorName: (id)argl; 

- (void)dealloc; 

- (BCX)L)loadConfiguration; 

- (BOOL)checkConf igurationlntegrity: (id)argl; 

- (id)encryption; 

@end 



^interface RCSMEncryption ; NSObject 
{ 

NSData *mKey; 




No pretty JSON format ©. 

Divided into configuration sections: 

- EVENTS. 
-AGENT 

- LOGRR 

- BYPAS. 



EVENTSCONF contains: 



— Events. 



— Actions. 



n this file, three events and two actions, 



struct event 




{ 




Int type; 




int action; 




int size of da 


ta; 


} 





o o o 



050 

080 
0A0 
0C0 
0E0 
100 
1Z0 
140 
150 
180 
1A0 
1C0 
1E0 

Z00 

ZZ0 
Z40 
Z50 
ZS0 



[5 ^ -t—i 



# of elements 



T' It 



Paste Undo R^do 

00 00 00 00 00 00 00 00 AZ 0Z 00 00 45 

00 00 00 00 10 00 00 00 01 00 00 00 50 

Z3 00 00 00 FF FF FF FF 00 00 00 00 00 

00 78 00 55 00 00 W 00 00 00 00 01 00 
FF FF FF 0Z 00 



37 38 ZE. 
00 05 
00 00 00 

00 08 00 
00 00 00 
00 00 00 




00 00 00 01 00 

34 35 ZE 31 35 37 
00 00 41 47 45 1 4E 

I 00 

00 ( ^rd pwppif ' 00 
00 ( ^ V I I L I 0g 

00 40 0Z 00 00 01 00 00 00 

S0 39 EZ CB 01 

#r\^ Qr"+ir^nc ^0 00 00 00 00 
Ul dLLIUI lb 3g ^0 



00 00 IF ZB 


3S 39 EZ CB 


00 00 00 00 


00 00 00 05 


00 00 00 00 


0Z 00 00 00 


00 00 00 08 


00 00 00 E0 


B3 00 00 00 


00 00 00 10 


00 00 00 08 


00 00 00 EF 


00 80 3E 00 


00 00 00 4Z 























0 






55 


45 


4E 


54 


43 


4F 


4E 


46 


53 


ZD 


00 


03 00 


00 


00 


00 00 


EA 


00 


00 


00 


00 


00 


00 


FF 


FF 


FF 


FF 


01 00 


00 


00 


01 00 


DE 


AD 


5D 


00 


73 


00 


70 


00 


51 


00 


53 


JiME 


00 


74 


00 ZE 


00 


00 


10 


00 


00 


00 


0Z 


00 


00 


00 






ZF 


54 


Z5 CD 


00 


00 


ZA 


00 


00 


00 


00 


00 


00 


00 


00 


I00 


00 


00 


30 01 


00 


5Z 


43 


53 


5F 


30 


30 


30 


30 


30 






■3-7 






54 


43 


4F 


4E 


45 


53 


ZD 


00 


13 


00 




."^ event 


08 


00 


00 


00 


00 


00 


08 


00 


05 


00 


2 


C5 


C5 


00 


00 


00 


00 


00 


00 


00 


00 












14 


00 


00 


00 


00 


00 


00 


00 


01 


00 


00 


00 01 


00 


00 


00 00 


04 


00 


00 


00 


01 


00 


00 


00 


00 


00 


00 


00 00 


00 


00 


00 Z4 


00 


IF 


ZB 


35 


00 


00 


00 


00 


00 


00 


00 


00 01 


00 


00 


00 00 


18 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 


00 00 


00 


00 


00 43 


00 


00 


00 


00 


00 


00 


00 


00 


01 


10 


00 


00 00 


00 


00 


00 lA 


FF 


FF 


FF 


FF 


FF 


FF 


FF 


FF 


00 


78 


00 


00 00 


00 


CZ 


CZ 00 


00 


00 


DC 


00 


00 


00 


80 


0Z 


00 


00 


00 


00 00 


00 


08 


00 00 


00 


00 


00 


00 


00 


00 


FA 


FA 


00 


00 


00 


^00 00 


00 


00, 


00 00 



Type 



I Value 



8 bit signed 

S l3it unsi... 

16 bit signed 

16 bit uns... 

Hex Little Endian Insert 



struct event 

int type; 

int action; 

int size of data; 



00 55 

01 FF 

00 31 

m 00 
)0 00 
10 00 

J0 00 



DE 3Z 



00 Z8 
00 Z0 
100 00 04 

I00 00 80 

IzD 00 00 
I44 4F 45 



Ttex ^1 i^Q' Hex searcli ^ 

Co To offset Find (Hex search) 



.EVEhfTCONES- 



. ./dS. 



78 . 79 . 145 . 157 . RCS_00000003Z9 . 

AGEhfTCOMFS- 

. . . . .@ 

Z 



.■1-5. 



.CZ 



. . .@. 
.■1-59. 



LOGRPCONFS-. . 

.BYPASCONFS-. . . . .EMDOF 



I 



ASCII 



Offset: 164 Selection: 0 




• The agents section only contains agents 
configuration. 

• The status field defines if agent is active or not. 




struct agent 
{ 

Int agentid; 

int status; 

int slze of data; 

} 




• There's some mapping between the agent ID 
and classes. 

• Agent ID 576 maps to RCSMAgentDevice. 

• Appears to only retrieve target configuration. 

• The only agent ID active in this file. 









576 


RCSMAgentDevice 


47545 


KCbrlAgentbcreenshot 


59881 


RCMSAgentWebcam 


4640 


RCSMAgentPosition 


49858 


RCMSAgentMicrophone 


512 


RC M S Age ntO rgan ize r 





• Why does this sample uninstalls itself? 

• The answer is in the configuration file. 

• There is an expiration date. 

• April, 30, 20 1 2! 





• There is a thread that monitors and triggers 
events. 

• Essentially an internal crontab. 

• Started inside [RCSMTaskManager 
loadlnitialConfigu ration]. 





00018DF9 mov eax, ds: (clsaNsthread - 18D9Dh)[esl] ; class: "NSThread" 

00018DFF mov ecx, ds: fmsgaDetachnewthrea - 18D9Dh) [esi] ; message: "detachNewThreadSelector:toTarget:withObject: " 

OOOI8E05 mov edx, ds : f msgaEventsmonitor - l8D9Dh)[esi] ; message: " event sMonitor" 

0001 8 BOB mov [esp+OCh]^ edi ; RCSMTaskManager object 

0001 8 EOF mov edx ; event sMonitor 

00018E0F ; OX12E24 

OOOI8E13 mov [esp+4], ecx 

OOOI8EI7 mov [s^p], eax 

00018E1A mov dword ptr [esp+lOh], 0 ; nil object 

00018E22 call objc msgSend ; create a new thread that monitors/manages events? 



mov 
call 



mov 
fild 
fstp 
movsd 

loclCDSB: 

movsd 
call 



mov 
call 



mov 
call 
test 
jnz 



eax, dword ptr [ebp+var_90] 

edi^ edi 

eax^ edi 

edi, dword ptr [ebp+var_78] 

edi, 2AC18000h 

eax, 0FE624E21h 



jumptable OOOICB87 case 2 



value coming -From data 



[esp], edi 

dword ptr esp+OCh], 0 
dword ptr [esp+8], 98968oh 
divdi3 

edi, ds:(cls_aNsdate - lCA2Bh)[esi] 



edi, ds:(cls_aNsdate - lCA2Bh)[esi] ; class 
ecx, ds : (msg^aDatewithtime O - iCA2Bh)[esi] 
■esp+4], ecx 
|esp], edi 

dword ptr [ebp+var_28+4], edx 
dword ptr [ebp+var_28], eax 
■ebp+var_28] 
|ebp+var_30| 



class: "NSOate" 
esi] J message: 



"dateWithTimeIntervalSincel970:" 



ximO, [ebp+var_30] 



qword ptr [esp+8], xmmO 
objcmsgSend 
edi, eax 



2012-04-30 00:00:00 +0000 




CODE XREF: -[RCSMEvents eventTimer: ]+47Bij 



1, ds:(cls_aNsdate - lCA2Bh)[esi] 
ecx, ds : (msg_aDate - lCA2Bh)[esi] ; message: "date" 
■esp+4], ecx 
[esp], eax 
objcmsgSend 

ecx, ds: (msg^alsgreaterthan - lG\2Bh)[esi] ; message: "is 
r esp+8 1, edi ; date from config 

I esp+4], ecx 

I esp], eax ; current date 

objcmsgSend 

alj al 

loclCBES I do not let jump else uninstalls 

loc ID283 



J class: "NSDate" 
message: "date" 



message: "isGreaterThan: 



current date 




• How to bypass the date check: 

— Set your clock before installation of dropper 

— Or just NOP that jnz in #4 if you already 
installed with a later date. 




How does Crisis implement its features? 



How does it find the target applications? 




• A bundle is injected into targets. 

• To hook interesting functions. 

• Send data to the main backdoor module. 





• How is the bundle injected into targets? 

• Assume target is Mac OS X Lion. 

• Slightly different implementation for older OS X 
versions. 




• Different notification features exist in OS X. 

• Check Apple Technical NoteTN2050. 

• Let's focus on NSWorkspace option. 





• Interface with the workspace. 

• It allows applications to use Finder features. 

• Notifications are posted to NSWorkspace notification 
center 

• Only works for apps that use the window server aka 
GUI apps. 




• NSWorkspaceDidLaunchApplicationNotification 

— Posted when a new app has started. 

— The notification object is the shared NSWorkspace 
instance. 




"An NSNotificationCenter object (or simply, 
notification center) provides a meciianism for 
broadcasting information within a program. An 
NSNotificationCenter object is essentially a 
notification dispatch table." 





• Interesting Instance Method: 

• addObserver:selector:name:object: 

• "Adds an entry to the receiver's dispatch table 
with an observe^ a notification selector and 
optional criteria: notification name and sender" 





NSNotificationCenter *center; 

center = [[NSMorkspace sharedWorkspace] notlflcatlonCenter]; 

[center addObserver;self 

selector :(0sel€ctor(injectBundle:) 

name : NSWorkspaceDidLaunchApplicationNotif ication 

object: nil]; 

[center addObserverrself 

selector :(0seIector(willStopCris is : ) 

name : NSWorkspaceDidTerminateApplicationNotif ication 

object: nil]; 





mov eax, ds: f clsaNsdistributedn - lA824h)[esiJ ; class: "NSDistributedNotificationCenter" 

fnov ecx, ds: (msgaDefaultcenter - lA824h)[esi] ; message: "defaultCenter" 

mov resp+4], ecx 

mov [esp], eax 

call Dbjc msgSend 

mov ecx, ds: (msgaAddobserverSel - lAS24h)[esi] ; message: " addObserver: selector: name: object : " 

mov [ebp+var 14], ecx 

mov edx, ds:^msg_a_abchangedcall - lA824h)[esi] ; message: "ABChangedCallback: " 

lea ecx, (cfs aAbdatabasechan.isa - lA824h)[esi] ; "ABDatabaseL tjii^dNotification" 

mov [esp+lOh], ecx 

mov [esp+OCh], edx 

mov [esp+8], edi 

mov ecx, [ebp+var_14] 

mov [esp+4], ecx 

mov [ssp], eax 

mov dword ptr [esp+14h], 0 

call objcmsgSend 





• Whenever a graphical application is launched. 

• The Crisis installed observer is notified about 
the new process. 

• And injectBundle:(NSNotification*)notification 
is called. 





• About the selector parameter 

• "Selector that specifies the message the 
receiver sends notificationObserver to notify it 
of the notification posting.The method specified 
by notificationSelector must have one and only 
one argument fan instance of NSNotificationy " 





• That notification object can be used to retrieve info 
about the application. 

• Using for example the userlnfo method of 
NS Notification class. 

• Returns a dictionary with information associated to that 
application. 

• Name, PI D, etc. 




eax, ds: (msgaObjecttorkey - 0CBB6h)[esi] ; message: object ForKey: 
ecx, (cfs aNsapplicatio O.isa - 0CBB6h)[esi] ; 'NSApplicationProcessIdentifier" 
esp+i], ecx . 



ds:(cls_aNsnumber - 0CBB6h)[esi] ; class 
ds : (msgaAlloc - 0CBB6h)[esi] ; message: 



class: "NSNumber" 
saee: "alloc" 



sp+4J| eax 

esp]j edi ^^^^^^ 

objcmsgSend "^^^^^^ 
ecx^ ds:(msg_alnt value - 0CBB6h)[esi] ; message: "intValue" 
'espM]f ecx 
|esp]j eax 
objcmsgSend 
edi^ eax 

eax, ds:(cls_aNsnumber - 0CBB6h)[esi] ; class: "NSNumber" 
ecx, ds : (msg^aAlloc - 0CBB6h)[esi] ; message: "alloc" 
|esp+4], ecx 
|esp], eax 
objcmsgSend 

ecx, ds:(msg^al nit wit hint - 0CBB6h)[esi] ; message: "initWithInt: " 
|esp+8], edi 
|esp+4], ecx 
|esp], eax 
objcmsgSend 
edi, eax 

eax, ds:(msg_aS end even ttopid - 0CBB6h)[esi] j message: " sen dE vent ToPid : " 
|esp+8], edi 
|esp+4], eax 
eax, [ebp+self] 
|esp], eax 
objcmsgSend 



i i 



• sendEventToPid: is the method responsible for dealing 
with injection. 

• If target OS is Lion launches a new instance of the 
backdoor with parameter -p PID. 

• Other versions it tries to load directly scripting additions. 

• New security measures in Lion? 





lea 


ecx, (aP - 4792h)[esi] 




"-P 


mov 


|esp+4], ecx 


■ 


char * 


mov 


|esp], eax 


■ 


char * 


mov 


dword ptr [esp+8]^ 2 


■ 


sizet 


call 


strncmp 






test 


eaXj eax 








short loc_484E 






mov 


eax, [edi+8] 




char * 


mov 


[esp], eax 
atoi 


■ 


call 






mov 


^esp]j eax 






call 


11 on S en d E ventToP i d 








ionSendEventToPid does two things: 

— Forces AppleScript to load in the target 



— Injects the bundle using AppleScript events. 



void lionSendEventToPid (pid t pid) 
{ 

(...) 

SBApplication* sbApp = [SBApplication applicationWithProcessIdentifier:pid]; 

/* load AppleScript into the target */ 

[sbApp setSendMode:kAENoReply | kAENeverlnteract | kAEDontRecord]; 
[sbApp sendEvent:kASAppleScriptSuite id:kGetAEUT parameters :0]; 
/* inject the bundle */ 

[sbApp setSendMode:kAENoReply | kAENeverlnteract | kAEDontRecord]; 

[ sbApp sendEvent : ' RCSe ' id : ' load ' parameters : ' pido ' , [NSNumber numberWithInt : getpid () ] ] ; 
(...) 

} 




• Most of this code seems to be based (or ripped 
off?) from EasySIMBL or SIMBL 

• https://github.com/norio-nomura/EasySIMBL 

• http://wvwv.culaternet/software/SIMBL/ 
SIMBLphp. 





• Two possible entry points in a bundle. 

• One can be called from AppleScript. 

• The other the real bundle entry point. 





< key>OSAXHandlers</key> 
<dict> 

<ke >Events</key> 
<dict> 

<key>RCSeload</key> 
<dict> 

<key>Context</ > 
<string>Process</string> 
<key>Handler</ > 

<string>InjectEventHandler</ jtring> i 
< key>ThreadSaf e< / key> 
<false/> 
</dict> 
</dict> 
</dict> 




public InJectEventHandler 
InjectEventHandler proc near 

var 14 = dword ptr -14h 

varlO = dword ptr -lOh 

varC = qword ptr -OCh 

push rbp 

rm>v rbp, rsp 

sub rsp, 20h 

mov [rbp+varlO], 0 

mov |rbp+var_C]. 0 

mov [rbp+var_14L 0 

mov esi, *pido' 

mov edx, 'long' 

lea rex, [rbp+varlO] 

call AEGetParamDesc 

test ax, ax 

jnz short loc_33B7 

lea rdi, [rbp+var_10| 

lea rsi, [rbp+var 14^ 

mov edx, 4 

call AEGetDescData 

loc_33B7: : CODE XREF: Inject Even tHandler+34tj 

mov eax, [rbp+var_14] 
mov cs:^BackdoorPID, eax 
xor eax, eax 
add rsp, 20h 
pop rbp 
retn 

InjectEventHandler endp 




• The real bundle entry point. 

• Derived from principal class. 

• Either at Info.plist as NSPrincipalClass key. 

• On the first loaded class is considered the principal class. 

• Check "Code Loading ProgrammingTopics" Apple 
document. 




•mMk (gyjfff psrM (s) 



o o o 

[ RAW I RVA 



BUNDLE_EDrSdvW8.p_w 



3 



r Jd-llUIIU^ I I LJ\T^ 

Seclion64 (_TEXT,_ 
Secli0Ei64 (_TEXT,_ 

► &ection64 (_TE!CT,_ 
Seclion64 (_TE!CT,_ 

► Section64 (_TEXT,_ 
N>Seclione4 (_DATA,_ 

► Sectiort64 (_DATA,_ 
Secli 011/64 (_DATA,_ 

► Secli one4 (_DATA,_ 
▼ Secli on64 (_DATA,_ 

□ bJC2 Class List 
S-eciione^ (_DATA,_ 

► Secli on64 (_DATA,_ 
^Seciione4 (_DATA,_ 



LSLi my/ 

con si) 
uslring) 

.gcc_except_tab) 

.unwind_info) 

.eh_frame) 

_nl_svmbol_ptr) 

_got] 

_la_svmbol_plr) 

_mocJ_term_fijnc) 

_objc_classlist) 

_objc_nlclslist) 
_objc_catnsi) 
_objc_i mage info) 



offset 


1 Data 


1 Description 


1 Value 








89049 7 F0 


900a00000994A238 


Pointer 


9X4A238 


(_OBJC. 


.CLASS_ 


$ RCSHInputManager} ^^^^ 


8804 9 7 F8 


900a00000994A238 


Pointer 


9>:4A238 


(_OBJC_ 


_CLASS_ 


$_iriySHProcessCont roller} 


80043300 


900a00000994A2D8 


Pointer 


9X4A2D8 


(_OBJC_ 


_CLASS_ 


$_RCSH Shared Memory} 


8004 S 308 


900a00000994A328 


Pointer 


9>:4A328 


(_OBJC_ 


_CLASS_ 


$_mvSkypeChat) 


89049310 


900a00000994A378 


Pointer 


9X4A378 


(_OBJ C_ 


_CLASS_ 


$_mvEventCont roller} 


8904S31S 


900a00000994A3C8 


Pointer 


9>:4A3C8 


(_OBJC_ 


_CLASS_ 


$_mvMacCallX) 


88849828 


900 a 0 0000 994 A4 68 


Pointer 


9!t4A468 


(_OBJC_ 


_CiLASS_ 


$_mvBrowserWindowCont roller} 


89049328 


900 a 0 0000 994 A4 18 


Pointer 


9Jt4A418 


(_OBJC_ 


_CLASS_ 


$_mvLogglngOt3iect ) 


09049330 


900 a 00000 994 A4B8 


Pointer 


9X4A4B8 


(_OBJC_ 


_CLASS_ 


$_RCSHAgentAppllcation) 


89049338 


900a00000994A598 


Pointer 


9JC4A598 


i_OBJC_ 


_CLASS_ 


$_myIHWebViewCont roller} 


09049340 


900a00000994A558 


Pointer 


9X4A558 


(_OBJ C. 


.CLASS_ 


$_mvrHWindowConT rolle r ) 


09049348 


900a00000994A5A8 


Pointer 


9Jt4A5A8 


(_OBJC. 


.CLASS_ 


$_invNSDocunientCont roller) 




; void cdecl ^'[RCSMIn put Manager load] (struct RCSMInputManagermeta *self, SEL) 

_RCSMInputManager_load_ proc near ; DATA XREF: _objc_const:00€000000£X>48988xo 

push rbp 

mov rbp, rsp 

push rl4 

push rbx 

mov rbx, rdi 

mov rsi, cs:selRef_mainBundle 

mov rdi, cs:classRef_NSBundle 

xor al, al 

call objcmsgSend 

mov rsi, cs:selRef_bundleIdentifier 

mov rdi, rax 

xor al, al 

call objc msgSend 

mov rl4, rax 

mov rsi, cs:selRef_getSystemVersionMajor_minor_bugFix_ 

mov rdi, cs:classRef_RCSMInputManager 

lea rdx, _gpSMaJor 

lea rex, gOSMinor 

lea r8, _gOSBugFix 

call obJcmsgSend 





• Available in Microsoft Office package. 

• At least two methods hooked. 

• SendMessage:ccText:inHTML. 

• ParseAndAppendUnicode:inLength:inStyle:flndent:fParseE 
moticons:fParseURLs:inSenderName:fLocalUsen 

• Using Swizzling technique (Objective-C feature!). 




• Swizzling is essentially exchanging 
implementation pointers. 

• The original method can still be called. 

• Very easy to hook Objective-C methods. 

• Check for example JRSwizzle: https:// 
github.com/rentzsch/jrswizzle. 




short loc_2395 

rdij almwebviewcontr ; "IMWebViewCont roller" 
objc^get Class 
rl5, rax 

rdi, aHyimwebviewcon ; "mylMWebViewCont roller" 
objc^getClass 

rl2, cs : selRef ParseAndAppendUnicodeHook inLengthinStylef Indentf ParseEmoticonsf Pars^ 
rdi, rax 
rsi, rl2 

_c la s s^etMet h od Impl emen t at i on 

rsi, cs : selRef ParseAndAppendUnicodeinLengthinStylef Indentf ParseEmoticonsf ParseURLs 
rdi, rl5 

rdx, rax ^^^^^ 

^^^^^^^^ 

swizzleByAddingIMP ^^^^^^^^^ 

rdi, almwindowcontro ; "IMWindowCont roller" 
objc^getClass 
rl5, rax 

rdi, aHyimwindowcont ; "mylMWindowCont roller" 
objc^etClass ^^^^ 
rl2, cs:selRef_SendMessageHook_cchText_inHTML_ ^^^^l 
rdi, rax 
rsi, rl2 

class^etMethodlmplenentation ^^^^ 
rsi , cs : selRef SendMessage_cchText_inHTML_ 
short loc 23EE ^^^^ 




9db$ content 



EAX: 0K005061D0 EBXi 0K004F7C1E ECX: 
ESI: 0K7A67A7A0 EDI: 0K00000005 EBP: 
CS: 001B DS: 0023 ES: 0023 FSi 0000 



0KBFF1GE14 
0KBFFieF0e 
GS1 000F 



EDX: 0K00000000 
ESP: 0KBFFieE9C 
jSi 0023 



0 4 



■[ rogsl 
I t s g 



a P c 



EIP: 0K005061D0 



0K5061d0 

0x50 

0K50 

QkSZ 
0kB0 
0>:S061d6 
0>;5061dc 
0KB061el 




(0K4201d0] 
01dl 
201d3 
201d4 
20^dS] 

f 0K4201'jc) 

(0K4201t;l) 



] : 55 push ebp 

RECEIVER SBEfTTDR 



.1^ 



53 

81 ec cl 
eQ 00 0I 
5b 



00 00 

00 00 



00 



/ 




--[eodel 

[Microsoft Nessenger] 
[Microsoft Messenger] 
[Microsoft Messenger] 
[Microsoft Messenger] 
[Microsoft Messenger] 
enger] 
Oj^KiHiKK e n g e r ] 
icrosoTt Messenger] 



... , r 

0KbfflBe9c: 0K004f7e00 0K7a67a7a0 0K01B6aae2 0K7a5b091B 

0Kbffieeac: 0x00000005 0K0a906a5B 0K0233c9e0 0K7aa7e2d0 

0KbfflBebc: 0K01G76665 0Kacdbl 
gdb$ 5-1 




gdbj K/s 0Kie6aae2 

0Kie6aae2: "SendHessage: cchText: inHTNL: " 
ccbs po 0>;a906a5B 

<htiiil><head><iiieta http-equiv="'Content-Type" content="text/htinl; cha rset=utf-B"x/head><body sty'Le = "f ont-f amily : 

LucidaGrande; color: rgb(0, 0, 0); font-size: 12pK; word-wrap: break-word; font-weight: nornal; font-style: no 

rmal; text-decoration: none; margin-left: 3px; margin-top: 3px; -webkit-nbsp-mode: space; -webkit-line-b reak : a 
f ter-white-space; ">1 2 3</body></htiiil> 



gdbf I 






• Encrypted data over HTTP 

• REST Protocol. 

• Session key negotiated with the server 

• Breakpoint [AuthNetworkOperation perform] 
to reverse the initial communication. 





• A fourth encryption key. 

• Symbol gBackdoorSignature. 

• Check the recent released SANS paper; it has a 
good analysis on this. 




tJerect and dispose of rootki^ 



Rootkfts 



FOR, 



>1 Reference 

_ for the, . . . 

Rest of Us! 



tools for network 
admtmstrators 
on CO 




• 32 bits kernel extension: Lft2iRjk.7qa. 

• 64 bits kernel extension: BZPYmgGVTOA. 

• Extremely small: 10 and 14 kbytes. 

• Very few features. 

• Hide files and processes. 



J9 O O 171 Fjuctions window 



Function name 


Ssgment 


Start 




j: 






_text 


OOOOOOOOOOOOOAB? 








\j \ IdjFt HJI _ |_r| ULi CSO CKAj lUOlliF 1^ 


text 


00000 OO000O00CB2 




X 




1 luun. ycLuii ci III icibu^ 


_text 


0000000000000 D1 8 




Ji 




rinnlf notHI mrklriioc at+r 


text 


O00000O000000F13 




T_ 




^laL c r lUUrs^ 


text 


0000000000001206 




z_ 




_rcrTiuve_riLKJPtii 


text 


00000 00000 001 2 A8 




T_ 




aHH Hit' tn hiHo 
aUU UN _LU_I MUc 


_text 


0000000000001320 




z. 




L7cJL.fVUlLJnJr If 111 


text 


0000000000001 3 D5 








ijcl UU 1 r HJcA 


_te>tt 


0000000000001 51 D 




z. 




Fc rTiuvc;_ucv c r iiiiy 


_te>rt 


0000000000001595 




J 




Hpallnif^ mph 

UCallLJu llldl 


_text 


0000000000001 5BB 


1 








_ta!Jrt 


0000000000001 5 F5 




J 




hfippU cum hnlc i ntf^/iirjhj 
ijiic'L'n. ^yrriLPUi^ ii ilcuii Jiy 


_te>rt 


0000000000001 6 S7 








lts_lctJL?cllU 


text 


00000 00000 00 170B 








lo oi luw itruLJcii u 


_text 


0000000000001727 




Tf 

J 




ic Urir\ 


_te!)rt 


0000000000001 74S 




j: 
Ji 




[ iiuc pruL/ 1 


_text 


0000000000001765 








1 IILIc pi Usj 


_text 


0000000000001 S 51 




Ji 




iinriiHo mrf\f^ 
U r Ir 1 lUc yjt kJij 


_text 


0000000000001934 




T_ 




m/^hrvT-L" dart 
1 1 lOr ILnJrs old.1 1 


text 


0000000000001 9 CO 




T_ 




1 1 lOr ILnJ^rs ollip 


text 


0000000000001 AlC 




z. 






text 


000000000000 1A50 










text 


00000 00000 00 1A58 




J_ 






„text 


000000000000 1A60 


1 






CI ih 1 rnA 


_texi 


0000000000001 Fa A 




£_ 




c-i iK 1 rnfi. 


_text 


0000000000001 FD6 




£_ 




r n 1 1 


UNDEF 


0000000000003790 




z_ 




MAI 1 nr" 


UNDEF 


O0000O0000O0379B 




z_ 




y^ht Tf^il 
h laSjt\_xj n 1 dl 1 


UNDEF 


00000 00000 0037A0 








tUcVtiW_aJuiJ 


UNDEF 


0O000OO000O037B0 




J 






UNDEF 


O0000O00000037Be 


1 


7 




_copyin 


UNDEF 


00000 00000 0037C0 




7 




_copyout 


UNDEF 


00000000000037C8 




n 




_devfs_imake_nQde 


UNDEF 


0000COO00OO037D0 


m 


_devfs_remove 


UNDEF 


OO000OO000O037D8 


\m 


_m em move 


UNDEF 


00000 00000 0037FO 


\m 


_memset 


UNDEF 


00000000000037FB 


\m 


_proc_name 


UNDEF 


0000000000003800 


\m 


_strlen 


UNDEF 


000000000000380B 


\m 


_strnemp 


UNDEF 


0000000000003810 


\m 


_strnepy 


UNDEF 


0000000000003818 















IJrte34 of 41 



%(Mwi %m(l^ 

• Uses device /dev/pfCPU for communication 
with userland. 

• Kernel symbols resolved in userland and 
transmitted back to rootkit. 




The "famous" iocti bu' 



# nclude <sys/ioctl.h> 

# nclude <stdio.h> 

# nclude <fcntl.h> 



int main (voirf) 
{ 

int fd = open("/dev/pfCPU", 0_RDWR); 
if (fd == -1) 

{ 

printf(" Failed to open rootkit device!\n"); 
return (1); 

} 

int ret = ioctl(fd^ Ox80ff6b26, "reverser"); 
if (ret -1) 

printf("ioctl failed!\n"); 

else 

printf("os.x crisis rootkit unmasked !\n"); 



Its best feature is a method to hide the rootkit 
from kernel extensions list. 

By attacking the "new" lOKit object where that 
info is located. 

Check http://reverse.put.as/20 1 2/08/2 1 /tales- 
from-crisis-chapter-3-the-italian-rootkit-job/. 



• All four samples don't install and use it. 

• The "Ah56K" vs "Ah57K" mode. 

• All samples are ' Ah56K", which doesn't seem to 
try to escalate privileges. 

• No rOOt, no rootkit! 



• Even if lame, Crisis is feature complete. 

• And certainly effective against many targets. 

• Few core technology developed in-house. 

• Mostly glued code/stuff from others. 





• This sample was thought to be newen 

• Mostly because of: 

— "Connection" to Pope Francis: Frantisek. 

— Binary configuration file instead of JSON. 

— The OpenSSL trick. 

— Code changes in the dropper 




• Maybe... 

• This sample could be a decoy. 

• Or a customized version. 

• It has only one agent active. 

• All the other samples have more than one. 



• The active agent just collects info about target. 

• Has a lower serial number 329. 

• Biglietto Visita sample serial is higher than 
Frantisek. 



The order samples were found/reported: 




MD5 



eria 



C&C IP 



6fD55 1 5086 1 d8d6e 1 45e9aca65f92822 24/07/12 N/A 



76.58.100.37 



b22e4324f4089a 1 66aae69 1 dff2e636 16/11/12 N/A 



ar-24.com 



a32e073 1 32ae0439daca9c82b8 1 1 9009 11/11/13 RCS 537 1 76.58. 1 2 1 .242 



5a88ed9597749338dc93fe2dbfdbe684 18/01/14 RCS 329 176.79.146.167 



What I think is the true order: 




a32e073 1 32ae0439daca9c82b8 1 1 9009 11/11/13 RCS 537 1 76.58. 1 2 1 .242 



b22e4324f4089a 1 66aae69 1 dfF2e636 16/11/12 N/A 



ar-24.conn 



6fD55 


5086 1 


d8d6el 


45e9aca65f92822 24/07/ 1 


2 N/A 


76.58. 


00.37 



o o o 

f 



RAW 



RVA 



D a2e3f93fc91cc4fOf5b28605371d39a6c4bdb3a7e841097dc7615bc2aa43a779 

1 



3 





offset 


Data 


Description 


1 Value 








5F5F6A756D705F7461526C6,,. 


Section Name 


j ump_table 






5F5F494D504F5254000000fl.,. 


Segment Name 


IMPORT 




B00001E8 


00003000 


Address 


0x3000 






00000005 


Size 


5 






00002000 


Offset 


3192 




e0000iF4 


00000006 


Alignment 


54 




000001F8 


00000000 


Relocations Offset 


0 






00000000 


Number of Relocations 


0 




00000200 


04000008 


Flags 












00000008 


S_S¥MBGL_STUBS 










04000000 


S_ ATTR_S E LF_HO DI F YING_C ODE 




00000204 


00000000 


Indirect Sym Index 


0 




00000208 


00000005 


Size of Stubs 


5 





















Mach Header 
▼ Load Commands 

LC_SEGMENT (_PACEZER05 

▼ LC_SEGMENT (_TEXT) 

Section Header (_text5 
► LC_SEGMENT (_DATA) 

▼ LC_SEGMENT (_IMPORT) 

Section Header ( [uimp_table) 

LC_SEGMENT (_LINKEDIT) 

LC_SECMENT (_INIT_STUB) 

LC_SYMTAB 

LC_DYSYMTAB 

LC_LOAD_DYLINKER 

LC_ULIID 

LC_UNIXTHREAD 

LC_LOAD_DYLIB i:iibgcc_s.l.dylib) 
LC_LOAD_DYLI B [libSystem.B.dy fi b) 

g^^t i J. p. I Tr:v-r taim 



• This particular Mach-O layout is only compiled 
with Xcode 3. 1 .4 or older 

• In a OS X 10.5 system (because of dyld). 

• Against 10.5 SDK. 

• Xcode 3.2.6 with 10.5 SDK does not replicate. 




o o o 

[ H RAW I RVA 



D aedl35515bgf326fb2c74b30b452857d8c93f4c74accOf3e5904ab6feOf966d2 

(5 



1 



LC_DYSYMTAB 

LC_LOAD_DYLINKER 

LC_UUID 

LC_ VERSI 0 N_ M I N_ M ACOSX 
LC_UNIXTHREAD 



Offset Data 

0e424__&0e 0 0 &ia_ 

00000428 000A0500 
0000042C 00000000 



DeEnriptfor 



Command 
CDirmand Size 



Version 
Reserved 



I Value 



LC_VE RSION_M IN_MA C OSX 
16 



10.6.0 
9 



O O O D 10fa7fa952dfc933b96d92ccd254a765S840250a787alb4d9SS9bf2'f70153791 

[ ^ RAW I RVA 



3 



LC_DYSYMTAB 




Offset 


1 Data 


. Description 


1 Value 


LC_LOAD_DYLINKER | 




00000420 


00000024 


Command 


LC VERSION MIN MACOSX 


LC_UUID 1 




00060424 


00000010 


Command Size 


16 ^ 


LC_ VERSI ON_MIN_M ACOSX 


If 


00000428 


000A0700 


Version 


10-7.0 ^ ~ 


LC_UNIXTHREAD 




000'0342C 


00000000 


Reserved 


0 ^ 


LC_LO AD_DYL 1 B {1 i bSyste m.B. . . . 







• I guess they gave up on M PRESS. 

• And moved fronn binary configuration to JSON 
format. 

• Playing around with different versions? 

• Releasing decoy versions? 

• Customized versions? 




• Assuming all this theory is true. . . 

• There are no new public samples. 

• Everything is from 20 1 2 or before. 

• Do you have them? 




• The current AV model is not working. 

• Considerable knowledge gap? 

• Are potential targets of Crisis protected or not 
if they use up-to-date AV? 




• Assuming we have a knowledge gap. 

• Can the new samples be any better? 

• I seriously doubt it. 

• HackingTeam is low skilled. 

• Windows version isn't much better 




"@osxreverser think we can stop here. Waiting for 
your next talk we're going to have fun as always 
(privately of course, we need no groupies)" 




"Just one more thing...." 




call [ebp+getenv ptr 

add esp, 4 

mov [ebp+var_EO], eax 

imp short loc 63^5 



63EE: 

mov [ebp+varlO], 1 

.63F5: 

push 80h 

call [ebp+mallocptr] 

add esp, 4 

mov [ebp+var 1M]| eax 

mov eax, [ebp+var_154] 

push eax 

mov ecx, [ebp+var_158] 

push ecx 

mov edx, [ebp+var_EO] 

push edx 

mov eax, [ebp+var_164] 

push eax 

mov ecx, [ebp+var_lA4] 

push ecx 

call rebp+sprintf ptr 



; retrieve HOME folder of current logged in user 



; CODE XREF: main+AlStj 



i CODE XREF: main+A2Atj 
I <- smart idea! 



; "Preferences" 

; "Library" 

] $HOME 

; "SBs/aSs/SBs" 

; buffer 

■ sprintf FIVI W 




0000 5 D50 mov e ax , [ e b p+image c ou n t er J 

0000 5 D5 6 push eax 

00005D57 call [ebp+_dyld_get_image nameptr] ; _dyld^et_image_name(index) 

O00O5D5D add esp, 4 

O0005D6O mov [ebp+var_l80], eax 

00005 D6 6 rnov ecx, [ebp+imagecounter] 

00005 D6C push ecx 

00005 D6D call [ebp+_dyld_get_image_header_ptr] 

OO0O5D73 add esp, 4 

00005 D7 6 mov [ebp+varlAO], eax 

00005 D7C rnov edx, [ebp+var_l80] 

00005 D8 2 push edx 

O0OO5D83 call hashstring 

00005D88 add esp, 4 

00005D8B cmp eax, [ebp+var_BC] ; looking for /usr/lib/libSystefn.B.dylib 

OO005D91 jnz loc_6005 

00005 D9 7 cmp [ebp-fdyld^getimageheaderptr], OFFFFFFFFh 

00005 D9E jz loc_6003 

00005 DM call maplibsystemB ; the image name was obtained above 

00005DA4 ; but it's then encoded in this function... 

00005DA9 mov [ebp+varSol , eax ; mnap to the library 

00005DAC cmp [ebp+var_80] , 0 

00005 DBO jnz short loc_5DB7 

00005DB2 call SYS exit 





000056C2 

000O56C3 
000056C5 
00{3056C8 
000056CE 
000O56D3 
000056D8 
000O56DD 
000056E2 

000O56E7 
0(30O56EC 
000056 Fl 
000056 F3 
000056 F5 
000056 F6 
000056 F8 
000056 FA 
000056 FB 




SYSopen 




• You for spending time of your life listening to 
me and the initial reviewers (Jonathan, An drey, 



Taiki, Patrick). 




http://reverse.put.as 
http://github.com/gdbinit 
reverser@put.as 




osxreverser 



#osxre (0) irc.freenode.net 



A day full of possibilities! 




Let's go exploring! 



